Data Retention _and_amp; Disposal 1917

  • Does SOX state how long cardholder data (PAN, Expiry Date, etc) is required to be kept in history? (and if so, what if we have a business requirement to keep the data for a longer period?)
    I am currently busy re-defining our Data Retention and Disposal policy and want to ensure that i get it right.
    Any help would be great - thanks

  • The short answer would be no. There may be other standard/regulations governing this though depending on which industry vertical you are (finance health etc). Data retention policies are governed mostly by business requirements.

  • … what if we have a business requirement to keep the data for a longer period?
    Hi Seal – I agree with Calvin’s response. As you evaluate retention periods, SOX specifies minimum retention periods (typically 7 years for most items), and firms can certainly keep information as long as it’s needed for business reasons.
    A thorough review of retention periods is a valuable process to perform every couple of years 🙂 It’s even more critical in light of SOX requirements.

  • In early December of 2006, some new amendments to the Federal Rules of Civil Procedure (FRCP) were released which provide some guidance on data retention. Although these new procedures were not necessarily designed with SOX in mind, they will be enforced in courts and thus will become new standard procedure for most companies. Of course, you will have to determine for yourself whether your data retention could have materiality ramifications (and accordingly whether you should factor it into your SOX planning).
    See the following article from (no, I’m not in any way affiliated with this publication…):,1895,2064416,00.asp
    Hope this helps.

  • Thanks for all your help - the main reason i wanted to know this is that we are also in the process of complying with the MasterCard/Visa PCIDSS which does not stat how long you are required to keep cardholder data.
    I think for our business purposes 7 years will be sufficient.
    I just need to ensure that our disposal of data is adequate.

  • Hello,
    I didn’t want to post a new entry, hence posted it here since it relates to the same topic.
    We have long term contracts with vendors in which we have an audit clause stating our rights to review contract related data and that the contractor is supposed to retain the data for 2 years after the termination of the contract.
    I was wondering if the 2 year period that we have stated in our contracts is sufficient as per SOX requirements. I realized through research that acceptable practice of keeping vendor related documents is 6 years from termination of the contract.
    Would anyone shade the light on this. If available, please proivde source reference that I can present to the management.

  • SOXBOX - The 2 year right to audit wording is probably adequate. This would be set as a business requiremetn for you from an operational perspective. There may be other reasons for the other party to keep data longer than the 2 years. I don’t necessarily see a SOX connection to this that would require you to require the vendor to keep information any longer than the 2 year period.

Log in to reply