Benchmark: 3.1.a Examine the data retention and disposal policies, procedures and processes to verify they satisfy all the requirements for cardholder data (CHD) storage

Description

procedures and processes should they include the following for all cardholder data (CHD) storage: limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements, specific requirements for retention of cardholder data (for example, cardholder data needs to be held for X period for Y business reasons), processes for secure deletion of cardholder data when no longer needed for legal, regulatory, or business reasons and a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements. Identifying and deleting stored data that has exceeded its specified retention period prevents unnecessary retention of data that is no longer needed. This process may be automated or manual or a combination of both. For example, a programmatic procedure (automatic or manual) to locate and remove data and/or a manual review of data storage areas could be performed. Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don't need it, don't store it!