PCI DSS does not define a speciminimum or maximum times fic maximum or minimum length of time for or howhich cardholder data can long cardholder data may be stored. PCI DSS Requirement 3.2.1 requires entities to implement data retention and disposal policies, procedures, and processes to ensure that account data is retained onlspecifies that a data retention and disposal policy must be implemented to limit data storage to that which is necessary for the period necessary to meet legal, regulatory, and/or business requirements.

The onlpurposes. It should be noted that any account data that may be stored astorage ofter authorization includes:

Primary account number sensitive authentication data (PAN) — if rendered unreadable
Expiration date
Cardholder name
Service code

Any sensitive authentication data (SAD) — such asincluding full track data, card verification codes/values, orand PIN blocks — must never be stor data) is prohibited after authorization, as per per PCI DSS Requirement 3.3. When cardholder data is stored electronically, it must be protected in line with Requirements 3.4 to 3.6, which address rendering data unreadable, securing cryptographic keys, and managing the full key lifecycle1.

Wherever cardholder data is stored, it must be protected in accordance with applicable PCI DStored data must be securelS Requirements, including Requirements 3.5 — 3.7 (electronic storage) and 9.4 (storage on physical media). Once cardholder data is no longer required, it must be securely deleted or rendered unrecoverable once it is no longer needed. Entities are also required to verify at least every three months that data exceeding retention limits has been securely removed..