ISU does not have a legal, regulatory, or business need to store cardholder data after transactions complete. All cardholder data in ISU possession is deleted immediately after processing.For information on cardholder data retention, see the Cardholder Data Collection & Processing Procedures.

Electronic Cardholder Data

Electronic cardholder data is only maintained in volatile memory, and systems with electronic cardholder data are prevented from initially storing the cardholder data via technical implementations, such as exclusively processing with vendor-maintained card capture pages. 

Physical Cardholder Data

Physical media containing cardholder data must be destroyed immediately after processing. Locations with physical media must have a paper shredder at the location where the physical media is processed, such as at the cubicle or in the office room. All media containing cardholder data must be cross-shredded on-location immediately after the transaction completes.

Data Element Reference Chart

Different data elements have varying storage allowances according to the PCI DSS standard, and the ISU storage allowances meet or exceed PCI allowances. Please consult the chart below to determine if you may store specific data elements.