Payment Card Industry (PCI) Data Security Standards Practice Test

Which statement is correct regarding storage of cardholder data?

• A. Encrypting stored cardholder data removes it from PCI DSS scope
• B. Stored cardholder data that exceeds retention requirements needs to be removed on a quarterly basis
• C. Log files containing cardholder data must be securely deleted on a quarterly basis
• D. Stored cardholder data that exceeds retention requirements needs to be removed on an annual basis

The correct answer is: Log files containing cardholder data must be securely deleted on a quarterly basis

The correct understanding of data storage relative to cardholder data is particularly critical in maintaining compliance with PCI DSS requirements. The focus of this question pertains to the management of log files that include cardholder data. These log files must be securely deleted because they can present significant risks if they are not handled properly—violations in compliance can lead to breaches of cardholder data protection. Keeping such logs absent a clear business need or proper retention policies puts organizations at risk. The requirement to manage these logs quarterly is aligned with the PCI DSS emphasis on minimizing the quantity of stored sensitive data and maintaining security controls. In contrast, other statements may imply alternate measures that do not accurately reflect the PCI DSS guidelines for data retention and deletion. Encrypting data does not automatically remove it from PCI DSS scope, as even encrypted data needs to be managed appropriately. Additionally, while there are mandates for data deletion, the specific timeframe of quarterly or annual removal of stored cardholder data is subject to the requirements outlined in the organization’s data retention policy and legal considerations, making the specific claim about annual deletion incorrect.