Under PCI DSS, what is true about storing sensitive authentication data after authorization?

• A. It may be stored after authorization if encrypted.
• B. It may be stored after authorization if there is a business justification and the data is stored securely.
• C. It must not be stored after authorization.
• D. It must not be stored after authorization unless the data is properly masked.

Answer: (D)

Sensitive authentication data must not be stored after authorization. This includes data like full track or magnetic stripe data, CVV/CVC/CID codes, and PIN blocks. Even if you encrypt it, or have a business justification, or mask it later, PCI DSS requires that you do not retain this data once authorization is complete. If such data has already been captured, it must be discarded or rendered unrecoverable. The goal is to prevent any risk that this highly sensitive data could be misused if compromised. In practice, you may retain non-sensitive identifiers (for example, a tokenized reference or masked account number) but not the actual authentication data itself after authorization.