Cardholder Data Retention Standard
Retention periods and secure-deletion requirements for cardholder data and related transaction records.
Purpose
This standard sets maximum retention periods for cardholder data and related records, and the method required to securely delete each data element once its retention period expires.
Retention schedule
Retention periods below are maximums; systems should not retain data longer than operationally necessary even within these limits.
| Data element | Retention period | Storage location |
|---|---|---|
| Full PAN (tokenized) | Life of account + 13 months | Tokenization vault |
| Transaction records | 7 years | Core banking archive |
| Authorization logs | 12 months | Log management platform |
| Chargeback case files | 5 years | Dispute Operations case system |
| CCTV / branch footage tied to a card incident | 90 days | Physical security archive |
Secure deletion
Data reaching the end of its retention period must be deleted using crypto-shredding (destruction of the encryption key) where the data is encrypted at rest, or secure overwrite where it is not. Deletion jobs run monthly and produce a deletion certificate retained by Card Security & Compliance for audit purposes.
Backups are included in scope: once a data element's retention period expires, it must also be purged from backup media on the next backup rotation cycle, and no later than 90 days after the primary copy is deleted.