What is the requirement surrounding data retention according to PCI DSS?

The requirement regarding data retention according to PCI DSS focuses on the necessity for organizations to securely delete cardholder data when it is no longer needed. This is fundamental to maintaining security and confidentiality, as excess retention of sensitive information increases the risk of data breaches. By ensuring that organizations have processes in place to securely delete data that is unnecessary for processing or meeting business needs, PCI DSS aims to minimize the data footprint and protect against unauthorized access.

This requirement aligns with the principle of “need to know,” whereby organizations only retain information that is essential for operational, legal, or compliance purposes. It emphasizes the importance of having a clear understanding of data lifecycle management, including the timely and secure disposal of cardholder data once it is no longer relevant.

Additionally, retaining cardholder data indefinitely, archiving it for extended periods, or encrypting it permanently contradicts the objectives of PCI DSS, which stress the importance of data minimization and risk reduction.