Frequently Asked Question

PCI DSS does not define minimum or maximum times for how long cardholder data may be stored. PCI DSS Requirement 3.2.1 specifies that a data retention and disposal policy must be implemented to limit data storage to that which is necessary for legal, regulatory, and/or business purposes. It should be noted that any storage of sensitive authentication data (including full track data, card verification codes/values, and PIN block data) is prohibited after authorization per PCI DSS Requirement 3.3.1.

Wherever cardholder data is stored, it must be protected in accordance with applicable PCI DSS Requirements, including Requirements 3.5 — 3.7 (electronic storage) and 9.4 (storage on physical media). Once cardholder data is no longer required, it must be securely deleted or rendered unrecoverable.