FAQ #1318 Diff
What is the maximum period of time that cardholder data can be stored?
Earlier Version
Later Version
Removed
Added
PCI DSS does not define minimum or maximum times for how long cardholder data may be stored. PCI DSS Requirement 3.2.1 specifies that a specific maximumdata retention and disposal policy must be implemented to limit data storage to that which is necessary for legal, regulatory, and/or business purposes. It should be noted that any storage of sensitive authentication data (including full track data, card verification codes/values, and PIN block data) is prohibited after authorization per PCI DSS Requirement 3.3.1.
Wherever cardholder data is stored, it must be protected in accordance with applicable PCI DSS Requirements, including Requirements 3.5 — 3.7 (electronic storage) and 9.4 (storage on physical media). Once cardholder data is no longer required, it must be securely deleted orminimum length of time for which cardholder data can be stored. PCI DSS Requirement 3.2.1 requires entities to implement data retention and disposal policies, procedures, and processes to ensure that account data is retained only for the period necessary to meet legal, regulatory, and/or business requirements.
The only account data that may be stored after authorization includes:
Primary account number (PAN) — ifrendered unreadable
Expiration date
Cardholder name
Service code
Any sensitive authentication data (SAD) — such as full track data, card verification codes/values, or PIN blocks — must never be stored after authorization, as per Requirement 3.3. When cardholder data is stored electronically, it must be protected in line with Requirements 3.4 to 3.6, which address rendering data unreadable, securing cryptographic keys, and managing the full key lifecycle.
Stored data must be securely deleted or rendered unrecoverable once it is no longer needed. Entities are also required to verify at least every three months that data exceeding retention limits has been securely removed.unrecoverable.
Wherever cardholder data is stored, it must be protected in accordance with applicable PCI DSS Requirements, including Requirements 3.5 — 3.7 (electronic storage) and 9.4 (storage on physical media). Once cardholder data is no longer required, it must be securely deleted or
The only account data that may be stored after authorization includes:
Primary account number (PAN) — if
Expiration date
Cardholder name
Service code
Any sensitive authentication data (SAD) — such as full track data, card verification codes/values, or PIN blocks — must never be stored after authorization, as per Requirement 3.3. When cardholder data is stored electronically, it must be protected in line with Requirements 3.4 to 3.6, which address rendering data unreadable, securing cryptographic keys, and managing the full key lifecycle.
Stored data must be securely deleted or rendered unrecoverable once it is no longer needed. Entities are also required to verify at least every three months that data exceeding retention limits has been securely removed.
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.