CEG Financial Account Data Retention & Disposal Policy

(PCI DSS Requirement 3.2.1)

Purpose:

To minimize the storage of account data and sensitive authentication data (SAD) in compliance with PCI DSS requirements, reducing the risk of data compromise.

Scope:

This policy applies to all systems, applications, storage media, and locations where cardholder data or sensitive authentication data may be stored, including:

  • Payment gateways and merchant accounts (PayPal, Stripe, QuickBooks Online, Kajabi)
  • Company-owned devices (laptops, mobile devices)
  • Cloud storage (Google Drive, Google Workspace backups)
  • SaaS service provider storage

Policy:

1. Data Minimization

  • Account data storage is kept to an absolute minimum.
  • No cardholder data will be stored on CEG-managed devices or local drives.
  • All payment processing will be performed through PCI DSS–compliant Third-Party Service Providers (TPSPs) — PayPal, Stripe, Kajabi, QuickBooks Online.

2. Sensitive Authentication Data (SAD)

  • SAD (e.g., full magnetic stripe, CVV2/CVC2, PIN data) must never be stored after authorization, even if encrypted.
  • Temporary storage of SAD prior to authorization is allowed only as a business necessity and must be securely deleted immediately upon authorization completion.

3. Retention Period & Justification

  • Retention periods must be documented and tied to legal, regulatory, or operational business requirements.
  • Current retention requirements:
    • Transaction records: Retained within TPSP systems for up to 24 months to meet financial recordkeeping obligations.
    • Customer contact records: Retained in CRM for duration of customer relationship plus 12 months.
  • Any retention beyond these timeframes requires written approval from the Operations Manager with documented justification.

4. Secure Disposal

  • When data exceeds the retention period, it must be securely deleted or rendered unrecoverable:
    • Digital deletion methods must comply with NIST SP 800-88 Rev. 1.
    • Cloud deletion must follow the provider’s verified secure deletion process.
    • Backups containing account data must be securely overwritten or destroyed.

5. Quarterly Verification

  • Every 3 months, the Operations Manager (or designated security lead) will:
    • Review storage locations in QBO, Stripe, PayPal, Kajabi, and Google Drive for account data older than the retention period.
    • Confirm that such data has been securely deleted.
    • Record verification in the Quarterly PCI DSS Compliance Log.

6. Documentation & Audit Trail

  • All verification records, deletion logs, and retention justifications will be stored in the PCI DSS Compliance Folder in secure Google Drive.
  • Records will be retained for a minimum of 12 months to demonstrate ongoing compliance.