Many of the merchants I’ve dealt with keep everything and I do mean everything. I’ve run into systems that have card numbers in their databases that date back to the first time they opened up an e-commerce site in the late 80’s. The majority of the card numbers in these systems have long since expired, but the merchant steadfastly refuses to purge any of the data ‘just in case it might be useful some day’. In most cases, they don’t actually use the stored credit card numbers in any way, shape or form, but they feel the need to have the data just to have the data. After all, we all know data is valuable, and what’s more valuable than a potential customer’s credit card number?
I have had similar experiences as well, even more so on the development side where “log everything” you never know when you will need it” was the mentality – you should be able to see why this is a problem.
What Martin writes about is something that you *should* be doing anyway per PCI 3.1 – If you look at the testing procedures however, there is no test to tie the retention period documented in the policies to the actually data that is retained.