A data retention policy is a set of guidelines that businesses use to manage how they store customer data. It explains how long data should be kept and why. This policy must be reviewed every three months to ensure old data is removed on time.
Why does it matter?
If you store any customer data, you must have a data retention policy that includes:
- How long you keep data and why
- How to securely delete data
- A quarterly review process to remove old data
- Training for all employees about these rules.
Can you store Sensitive Authentication Data (SAD)?
No. Never store sensitive authentication data in any form — not electronically, not on paper.
What is a PAN?
PAN stands for Personal Account Number. It's the complete number shown on a customer's card.
How should you handle card numbers on receipts?
Customer receipts must hide most of the card number (called masking). The merchant's copy may show the full number if stored in a locked, secure location.