FAQ #1318 Diff
What is the maximum period of time that cardholder data can be stored?
Earlier Version
Later Version
Removed
Added
PCI DSS does not define a specific maximum or minimum length of time for which cardholder data can be stored. PCI DSS Requirement 3.2.1 requires entities to implement data retention and disposal policies, procedures, and processes to ensure that account data is retained only for the period necessary to meet legal, regulatory, and/or business requirements.
The only account data that may be stored after authorization includes:
Primary account number (PAN) — if rendered unreadable
Expiration date
Cardholder name
Service code
Any sensitive authentication data (SAD) — such as full track data, card verification codes/values, ormaximum times forPIN blocks — must never be stored after authorization, as per Requirement 3.3. When cardholder data is stored electronically, it must be protected in line with Requirements 3.4 to 3.6, which cardholder data may be stored. PCI DSS Requirement 3.1 specifiesaddress rendering data unreadable, securing cryptographic keys, and managing the full key lifecycle.
Stored data must be securely deleted or rendered unrecoverable once it is no longer needed. Entities are also required to verify at least every three months thata datadata exceeding retention and disposal policy must be implemented to limit data storage to that which is necessary for legal, regulatory, and/or business purposes. It should be noted that any storage of sensitive authentication data (including full track data, card verification codes/values, and PIN block data) is prohibited after authorization per PCI DSS Requirement 3.2.
Whenever cardholder data is stored, it must be protected in accordance with applicable PCI DSS Requirements, including Requirements 3.4 ? 3.6 (electronic storage) and 9.5 ? 9.8 (storage on physical media). Once cardholder data is no longer required, it must belimits has been securely deleted.removed.
The only account data that may be stored after authorization includes:
Primary account number (PAN) — if rendered unreadable
Expiration date
Cardholder name
Service code
Any sensitive authentication data (SAD) — such as full track data, card verification codes/values, or
Stored data must be securely deleted or rendered unrecoverable once it is no longer needed. Entities are also required to verify at least every three months that
Whenever cardholder data is stored, it must be protected in accordance with applicable PCI DSS Requirements, including Requirements 3.4 ? 3.6 (electronic storage) and 9.5 ? 9.8 (storage on physical media). Once cardholder data is no longer required, it must be
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.