StandardCard Security & Compliance

Cardholder Data Retention Standard

Retention periods and secure-deletion requirements for cardholder data and related transaction records.

v1.1effective 2025-02-20

Purpose

This standard sets maximum retention periods for cardholder data and related records, and the method required to securely delete each data element once its retention period expires.

Retention schedule

Retention periods below are maximums; systems should not retain data longer than operationally necessary even within these limits.

Data elementRetention periodStorage location
Full PAN (tokenized)Life of account + 13 monthsTokenization vault
Transaction records7 yearsCore banking archive
Authorization logs12 monthsLog management platform
Chargeback case files5 yearsDispute Operations case system
CCTV / branch footage tied to a card incident90 daysPhysical security archive

Secure deletion

Data reaching the end of its retention period must be deleted using crypto-shredding (destruction of the encryption key) where the data is encrypted at rest, or secure overwrite where it is not. Deletion jobs run monthly and produce a deletion certificate retained by Card Security & Compliance for audit purposes.

Backups are included in scope: once a data element's retention period expires, it must also be purged from backup media on the next backup rotation cycle, and no later than 90 days after the primary copy is deleted.