E-Commerce
Cardholder Data Retention Procedures
Last modified 4/17/2024
ISU does not have a legal, regulatory, or business need to store cardholder data after transactions complete. All cardholder data in ISU possession is deleted immediately after processing.For information on cardholder data retention, see the Cardholder Data Collection & Processing Procedures.
Electronic Cardholder Data
Electronic cardholder data is only maintained in volatile memory, and systems with electronic cardholder data are prevented from initially storing the cardholder data via technical implementations, such as exclusively processing with vendor-maintained card capture pages.
Physical Cardholder Data
Physical media containing cardholder data must be destroyed immediately after processing. Locations with physical media must have a paper shredder at the location where the physical media is processed, such as at the cubicle or in the office room. All media containing cardholder data must be cross-shredded on-location immediately after the transaction completes.
Data Element Reference Chart
Different data elements have varying storage allowances according to the PCI DSS standard, and the ISU storage allowances meet or exceed PCI allowances. Please consult the chart below to determine if you may store specific data elements.
Classification | Data Element | Digital Storage Pre-Transaction | Physical Storage Pre-Transaction | Storage Post-Transaction |
| Primary Account Number (PAN) | No | Yes, if necessary | No |
Cardholder Name | Yes, if necessary | Yes, if necessary | Yes, if necessary | |
Service Code (3-4 digit code in magnetic stripe) | No | Yes, if necessary | No | |
Expiration Date | Yes, if necessary | Yes, if necessary | Yes, if necessary | |
Sensitive Authentication Data | Full Track Data (Magnetic Stripe) | No | No | No |
Card Security Code (CAV2/CVC2/CVV2/CID) | No | Yes, if necessary | No | |
PIN/PIN Block | No | No | No |