Data retention and disposal policies for cardholder data storage must include which elements?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Study for the PCI Data Security Standard Exam. Master your knowledge with interactive flashcards and multiple-choice questions, each with hints and explanations. Prepare confidently for your certification test!

Multiple Choice

Data retention and disposal policies for cardholder data storage must include which elements?

Explanation:
Cardholder data should only be stored for the minimum time necessary and disposed of securely when it’s no longer needed. A proper data retention and disposal policy lays out how long card data is kept, the specific retention requirements for different data types, and the secure deletion method used when data reaches its end of life. The best answer also adds a routine, such as a quarterly process, to purge data that has exceeded its retention period. This ensures data isn’t kept longer than required and that all copies, including backups, are securely erased, reducing the risk of exposure. Why this is the right approach: it aligns with PCI DSS guidance to minimize stored cardholder data, define clear retention periods, and use secure deletion methods. Regularly deleting data that has outlived its retention period prevents accumulation of unnecessary sensitive information and closes potential attack vectors. Not storing data at all isn’t always practical for many environments, indefinite retention violates the principle of minimization, keeping data in plain text is inherently insecure, and encryption of backups alone doesn’t substitute for a defined retention and secure disposal process.

Cardholder data should only be stored for the minimum time necessary and disposed of securely when it’s no longer needed. A proper data retention and disposal policy lays out how long card data is kept, the specific retention requirements for different data types, and the secure deletion method used when data reaches its end of life. The best answer also adds a routine, such as a quarterly process, to purge data that has exceeded its retention period. This ensures data isn’t kept longer than required and that all copies, including backups, are securely erased, reducing the risk of exposure.

Why this is the right approach: it aligns with PCI DSS guidance to minimize stored cardholder data, define clear retention periods, and use secure deletion methods. Regularly deleting data that has outlived its retention period prevents accumulation of unnecessary sensitive information and closes potential attack vectors.

Not storing data at all isn’t always practical for many environments, indefinite retention violates the principle of minimization, keeping data in plain text is inherently insecure, and encryption of backups alone doesn’t substitute for a defined retention and secure disposal process.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy