Ace the Governance, Risk & Compliance Challenge 2025 – Unleash Your Inner GRC Analyst!

To protect stored account data in accordance with the Payment Card Industry Data Security Standard (PCI DSS), the best practice is to only store minimal account data. This approach emphasizes the importance of collecting and retaining only the essential information needed for business purposes while minimizing exposure to potential data breaches.

Storing only minimal account data reduces the risk of sensitive information falling into the hands of malicious actors. By limiting the amount of data that is retained, organizations can better comply with both regulatory requirements and industry standards aimed at protecting cardholder information. It aligns with the principle of data minimization, which is a critical aspect of data governance and protection.

In contrast, retaining all possible account data or storing plaintext cardholder data securely goes against the guidelines set by PCI DSS, which advocate for the reduction of sensitive data storage to minimize the potential impact of data breaches. Additionally, the indefinite collection and storage of CVV2 is explicitly prohibited under PCI DSS, emphasizing the need to secure sensitive card information even further.