Which statement about data retention and secure deletion is correct?

• A. Deletion is optional if data is archived.
• B. Data should never be deleted after retention period.
• C. Deletion should be performed only during a system upgrade.
• D. There must be a quarterly process to identify and securely delete CHD that exceeds defined retention, and secure deletion when no longer needed.

Answer: (D)

Data retention and secure deletion require you to keep cardholder data only for a defined period and to dispose of it securely when it’s no longer needed. The statement that there should be a formal, quarterly process to identify CHD that exceeds the defined retention and to securely delete it aligns with this principle. It shows an ongoing control that prevents unnecessary data from lingering and provides a routine, verifiable way to purge data that should no longer be kept. Secure deletion means using approved methods to render data unrecoverable, such as deleting the data itself or destroying cryptographic keys if you rely on encryption, so that the CHD cannot be retrieved. The other options contradict the policy: data should not be kept indefinitely after its retention period, deletion isn’t reserved only for system upgrades, and deleting data isn’t optional when it’s archived but must follow the defined retention and disposal procedures.