If it has been confirmedPCI DSS applies to any primary account number (PAN), including active, expired, or cancelled PAN, except where the organization can provide documentation which confirms that the cards arePAN is inactive or disabled, the PANs (Primary Account Numbers)otherwise disabled and no longer poseposes a fraud risk to the payment system, and PCI DSS would not apply in these cases.system. If, however, the PAN is later reactivated, PCI DSS will again apply.

When payment cards expire, the same account number is often reused on the new card with a different expiry date. The PAN shouldmust therefore be verified as not being valid before expired cards are excluded from PCI DSS scope.

Entities should retain PAN based on business/legal needs, as defined in data retention policy (PCI DSS Requirement 3.1). Remember: If you don?t need it, don?t store it.