E-Commerce

Cardholder Data Retention Procedures

Last modified 4/17/2024

ISU does not have a legal, regulatory, or business need to store cardholder data after transactions complete. All cardholder data in ISU possession is deleted immediately after processing.For information on cardholder data retention, see the Cardholder Data Collection & Processing Procedures.

Electronic Cardholder Data

Electronic cardholder data is only maintained in volatile memory, and systems with electronic cardholder data are prevented from initially storing the cardholder data via technical implementations, such as exclusively processing with vendor-maintained card capture pages. 

Physical Cardholder Data

Physical media containing cardholder data must be destroyed immediately after processing. Locations with physical media must have a paper shredder at the location where the physical media is processed, such as at the cubicle or in the office room. All media containing cardholder data must be cross-shredded on-location immediately after the transaction completes.

Data Element Reference Chart

Different data elements have varying storage allowances according to the PCI DSS standard, and the ISU storage allowances meet or exceed PCI allowances. Please consult the chart below to determine if you may store specific data elements.

Classification

Data Element

Digital Storage Pre-Transaction

Physical Storage Pre-Transaction

Storage Post-Transaction



Cardholder Data

Primary Account Number (PAN)

No

Yes, if necessary

No

Cardholder Name

Yes, if necessary

Yes, if necessary

Yes, if necessary

Service Code (3-4 digit code in magnetic stripe)

No

Yes, if necessary

No

Expiration Date

Yes, if necessary

Yes, if necessary

Yes, if necessary


Sensitive Authentication Data

Full Track Data (Magnetic Stripe)

No

No

No

Card Security Code (CAV2/CVC2/CVV2/CID)

No

Yes, if necessary

No

PIN/PIN Block

No

No

No