PCI DSS does not define minimum ora specific maximum timesor minimum length of time for which cardholder data maycan be stored. PCI DSS Requirement 3.1 specifies that a data retention and disposal policy must be implemented to limit data storage to that which is necessary for legal, regulatory, and/or business purposes. It should be noted that any storage of sensitive authentication data (including full track data, card verification codes/values, and PIN block data) is prohibited after authorization per PCI DSS Requirement 3.2.1 requires entities to implement data retention and disposal policies, procedures, and processes to ensure that account data is retained only for the period necessary to meet legal, regulatory, and/or business requirements.

The only account data that may be stored after authorization includes:

Primary account number (PAN) — if rendered unreadable
Expiration date
Cardholder name
Service code

Any sensitive authentication data (SAD) — such as full track data, card verification codes/values, or PIN blocks — must never be stored after authorization, as per Requirement 3.3. Whenever cardholder data is stored cardholder data is stored electronically, it must be protected in accordancline with applicable PCI DSS Requirements, including Requirements 3.4 ?to 3.6 (electronic stora, which address renderinge) and 9 data unreadable, securing cryptographic keys, and managing the full key lifecycle.5 ? 9

Stored data must be securely deleted or rendered unrecoverable once it is no longer needed.8 (stora Entities are also required to verify at least every three months that data exceedinge on physical media) retention limits has been securely removed. Once cardholder data is no longer required, it must be securely deleted.