Record & PCI Data Record Retention and Disposal Policy.docx
Record Retention and Disposal Policy |
Document information and change log
Document Information
Header | Information |
Next review | Oct 31, 2025 |
Status | Combination of Data/Record Retention and Disposal Policies |
Regional scope & language | Territory of USA in English |
Applies to entities | GiveCorporation Inc. |
Overall responsibility | Loraine Stewart, CCO |
Approved by | Joshua Rowley, CEO; Aaron Miller, CRTO |
Change log
Date | Version | Reason for version |
Oct 31, 2024 | 1.0 | Initial Release |
August 8, 2025 | 1.1 | Added Expired Card Data Retention Policy and Truncated Card Number Access |
Gender And Entity Neutrality
The masculine form is used solely for the sake of better readability. It always refers to persons of any gender identity (m/f/diverse). This document uses the abbreviation “Give” for all legal entities and subsidiaries.
Table of Contents
I. PCI Data Retention and Disposal Policy 4
Retention of Expired Card Data 5
II. Record Retention and Disposal Policy 6
F. Disposal Schedule - Customer/Merchant Operational Information 7
Disposal Schedule - Governance and Operations: Human Resources and Payroll Records 15
PCI Data Retention and Disposal Policy
1. Purpose
The purpose of this policy is to define the retention and disposal requirements for all credit card data stored or processed by Give Corporation, in compliance with the Payment Card Industry Data Security Standards (PCI DSS).
2. Scope
This policy applies to all employees, contractors, and third-party service providers who handle credit card data on behalf of Give Corporation.
3. Sensitive Data
It is critical to protect sensitive data. Most of the data protection policy is addressed in the Information Security Policy sections which cover access control, strong authentication, encryption, monitoring and alerts etc.
In addition to what was covered thus far, Data protection also must include a policy for retention and disposal. Please reference Data Retention and Disposal Policy.
Give Corporation shall retain credit card data only for the period necessary to fulfill business, legal, and regulatory requirements, and shall securely dispose of such data after the retention period has expired.
The retention periods for credit card data shall be determined as follows:
- Primary Account Numbers (PANs) in plaintext, Card Verification Value (CVV) and Magnetic Stripe Data shall not be stored after authorization.
- Tokenized PANs associated with the risk profile, future payment, recurring payment or subscription service may be stored for the duration of the service or as required by law or specific business need.
- Cardholder data that is associated with the risk profile, future payment, recurring payment or subscription service may be stored for the duration of the service, or as required by law or specific business need.
- Security-related data (such as logs, audit trails, and security incident reports) shall be retained for a minimum of 1 year.
- Only authorized administrators can copy or export PAN data. Any other user with access to PAN data must have revoked privileges to export or copy tables with PAN data.
- Truncated Card Number Access. Our system enforces strict access controls:
- Merchants can only view truncated card numbers for their own accounts.
- Acquirer users can view truncated card numbers across all accounts.
Access to truncated PAN is necessary for operational purposes, allowing authorized personnel to verify transaction details, resolve customer and merchant inquiries, and support fraud and risk investigations — all without exposing the full card number.
- Data will be inventoried and reviewed at least annually by key custodians for relevance and retention requirements.
Transmission Restrictions
The transmission of credit card data via Slack or any other instant messaging or end-user messaging service is strictly prohibited. This ensures that sensitive data is not shared over insecure or non-compliant channels.
Retention of Expired Card Data
Give Corporation retains expired card data for a maximum of two (2) years after the card’s expiration date. During this retention period, expired cards may continue to be processed through the Visa Account Updater (VAU) and Mastercard Automatic Billing Updater (ABU) services where applicable. At the end of the two-year retention period, all expired card data is securely deleted in accordance with Give Corporation’s data deletion procedures and applicable PCI DSS standards. This retention policy ensures operational continuity while minimizing the storage of cardholder data that no longer has business or legal value.
4. Disposal Requirements
Give Corporation shall dispose of credit card data in a secure and irreversible manner to prevent unauthorized access or retrieval. The disposal methods shall be appropriate to the sensitivity of the data and shall include at least one of the following:
- Physical destruction (such as shredding or incineration) of paper documents or storage media.
- Electronic erasure or destruction of electronic media (such as hard drives, tapes, or flash memory).
- Secure deletion criteria via DOD or NIST standards.
Prior to deletion, sensitive PCI card data such as the PAN must undergo a secure sanitization process. This includes replacing the PCIDigest by setting all its bytes to zero, ensuring that no residual sensitive information remains accessible or recoverable.
This process ensures that sensitive credit card information is not recoverable and complies with both regulatory requirements and industry best practices.
5. Compliance Monitoring
Give Corporation shall periodically review and test the effectiveness of this policy and its related procedures to ensure ongoing compliance with PCI DSS requirements.
6. Training and Awareness
Give Corporation shall provide regular training and awareness programs to all employees, contractors, and third-party service providers who handle credit card data, to ensure their understanding and adherence to this policy for retention and disposal.
7. Enforcement
Any employee, contractor, or third-party service provider found to have violated this policy shall be subject to disciplinary action, up to and including termination of employment or contract. Additionally, any violation of this policy that results in a data breach or other security incident shall be promptly reported to the appropriate authorities and subject to legal and regulatory consequences - use Incident Response Procedure.
8. Review and Revision
This policy shall be reviewed and updated as necessary to reflect changes in Give Corporation’s business practices, legal or regulatory requirements, or PCI DSS standards.
II. Record Retention and Disposal Policy
A. Introduction
This policy is to detail the procedures for the retention and disposal of information to ensure that we carry this out consistently and that we fully document any actions taken. Unless otherwise specified the retention and disposal policy refers to both hard and soft copy documents.
B. Paper records storage
Records should be kept for as long as they are needed to meet the operational needs of Give, together with legal and regulatory requirements.
Give regularly reviews the retention periods for different categories of information to determine whether they should be destroyed or retained for a further period. However, detailed in the record retention schedule below are the retention periods Give applies to the relevant information, unless otherwise advised by Give’s Compliance Officer, a judicial order, law enforcement request or members of the Senior Management team.
C. Destruction of records
Records can be destroyed in the following ways:
- Non-sensitive information – can be placed in a normal rubbish bin
- Confidential information – crosscut shredded and pulped or burnt.
- Electronic equipment containing information - they will be permanently deleted from the system.
Destruction of electronic records should render them non-recoverable even using forensic data recovery techniques.
D. Records of Destructions
Give may not document the disposal of records which have been listed on the records retention schedule. Documents disposed of other than in accordance with that schedule (either by being disposed of earlier or kept for longer than listed) will need to be recorded for audit purposes.
E. Review
Responsibility for reviewing this policy (including reviewing the retention periods for different categories of information) rests with the Compliance Officer. The policy should be reviewed annually.
F. Disposal Schedule - Customer/Merchant Operational Information
Business Function | Description | Retention Period | Comments |
Pre-Sales | Prospect data. | As appropriate and 12 Months | Retained as necessary depending on the stage in the sales process. Negative data will be destroyed within a 12-month period |
Customer details: Name | 7 years | ||
Customer details: Date of Birth | 7 years | ||
Customer details: Address | 7 years | ||
Customer details: Telephone Number (Landline) | 7 years | ||
Customer details: Telephone Number (Mobile) | 7 years | ||
Customer details: Application rejected by Acquirer (Credit Referencing) – Card Acceptance Merchants only | 7 years | This information will only be held where the acquirer has rejected an application from a merchant resulting from the credit reference report | |
Customer details: Experian Credit Reference – Successful applications (Convenience) | Contract term + 7 years | ||
Customer details: Experian Credit Reference – Unsuccessful applications (Convenience) | 7 years | ||
Customer details: Application rejected by Give (Credit Referencing) – Convenience (Bill Payment) Only or Convenience (Bill Payment) plus Card Acceptance service merchants only | 7 years | This information will only be held where Give has rejected an application from a merchant resulting from the credit reference report | |
Sales Enablement | |||
Boarding | Customer details: Name | Contract term + 7 years | |
Boarding | Customer details: Date of Birth | Contract term + 7 years | |
Boarding | Customer details: Address | Contract term + 7 years | |
Boarding | Customer details: Telephone Number (Landline) | Contract term + 7 years | |
Boarding | Customer details: Telephone Number (Mobile) | Contract term + 7 years | |
Boarding | Customer details: Email address | Contract term + 7 years | |
Boarding | Customer details: Identity Verification Document 1 | Contract term + 7 years | Any document from the following list: 1) Unexpired passport 2) Driving license 3) National Identity Card |
Boarding | Customer details: Identity Verification Document 2 | Contract term + 7 years | Any document from the following list: 1) Unexpired passport 2) Driving license 3) National Identity Card |
Boarding | Customer details: Address Verification Document | Contract term + 7 years | Any document from the following list: 1) Notification for Tax Credit 2) Notification for entitlement to pension from DWP 3) Notification to a government grant 4) Utility Bill 5) IRS Tax Statement 6) Mortgage statement 7) Council Tax Bill 8) Business Insurance Certificate 9) VOA Business rates document 10) Credit Card Statement 11) Marriage certificate 12) Deed poll certificates (Change of name) |
Boarding | Customer details: Bank details | Contract term + 7 years | |
Boarding | Customer details: Bank confirmation | Contract term + 7 years | Bank statement, voided cheque or paying in slip |
Boarding | Business details: Business Plan | Contract term + 7 years | |
Boarding | Business details: Financial record from Companies House | Contract term + 7 years | |
Boarding | Business details: Audited Company Accounts | Contract term + 7 years | |
Boarding | Business details: Solicitors or accounts letters showing personal details of owners/shareholders | Contract term + 7 years | |
Boarding | Business details: Owners / shareholders list | Contract term + 7 years | |
Boarding | Business details: Official Partnership Agreement | Contract term + 7 years | |
Boarding | Business details: Tenancy Agreement for business premises | Contract term + 7 years | |
Boarding | Business details: Customer bank details for taking payments | Contract term + 7 years | |
Boarding | Business details: Acquirer Contract | Contract term + 7 years | |
Boarding | Business details: Acquirer statement (for Merchants who are changing merchant acquirers) | Contract term + 7 years |
Finance Records
Business Function | Description | Retention Period | Comments |
Finance | Finance Documents | 7 years | |
Financial management – bank, petty cash and creditors records, misc. | Paid/presented cheques and records of all cheques drawn for payment | 7 years | |
All other cheque records – cheque books received, butts, canceled etc | 2 years | ||
Bank statements and reconciliations | 7 years | ||
Electronic banking – transactions, payment files, deposits, withdrawals and audit trail | As per paper records | ||
All petty cash records | 7 years | ||
Creditors history records, lists and reports | 7 years | ||
Statements of accounts | 2 years | ||
Fraud and theft | 7 years (minor matters) / 10 years (non-minor matters) | ||
Financial management – ledger records | General ledger produced for purposes of preparing certified financial statements | 7 years | |
Creditor ledger | 7 years | ||
Other ledgers and related audit trails | 7 years | ||
Journals – prime record for raising charge | 7 years | ||
Journals -adjustments | 7 years | ||
Reconciliations Year End | 7 years | ||
Assets and depreciation registers | 7 years on disposal of last asset | ||
Annual and quarterly financial statements | 7 years | ||
Periodic financial statements | Destroy when accumulated into quarterly or annual reports | ||
Financial management – PO (Purchase Order) records | PO records | 7 years | |
Financial management - Income | Debtors records and invoices | 7 years | |
Credit notes and refunds | 7 years | ||
Records relating to unrecoverable revenue (bad debts, overpayments) | 7 years (minor matters) / 10 years (non-minor matters) | ||
Revenue records | 7 years | ||
Merchant Information | Contact data Bank details Legal proceeding docs Contract info | Contract length plus 7 years | |
Bank details | Contract length plus 7 years | ||
Legal proceeding documents | Contract length plus 7 years | ||
Contract information | Contract length plus 7 years | ||
Financial management – internal and external audit | External audit investigations | 7 years after completion | |
Audit report that includes long-term contracts | 7 years | ||
Report papers used in course of fraud investigation | 7 years | ||
Other audit reports | 3 years | ||
Internal audit guides, manuals, and guides relating to departmental procedures and local auditing standards | Indefinitely, replaced with updates as and when necessary |
Disposal Schedule - Governance and Operations: Human Resources and Payroll Records
Business Function | Description | Retention Period | Comments |
Human Resources | Human Resources Documents | ||
Employee Files | Paper and hardcopy employee files | 7 years after the employee leaves the organization. | The Limitations Act 1980 (to reflect that legal proceedings must start within 7 years) |
Income Tax Records and Wages | Income tax and NI returns, income tax records and correspondence with the Inland Revenue | Not less than 3 years after the end of the financial year to which they relate | The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631) |
Wage/salary records (also overtime, bonuses, expenses) | 7 years | Taxes Management Act 1970 | |
National minimum wage records | 3 years after the end of the pay reference period following the one that the records cover | National Minimum Wage Act 1998 | |
Pension and Retirement | Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity | 7 years from the end of the scheme year in which the event took place | The Retirement Benefits Schemes (Information Powers) Regulations 1995 (SI 1995/3103) |
Payroll and HR Policies | Staff handbook, clear desk policies etc | Perpetual | Retain most recent / updated version |
Sickness Records | Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence | 3 years after the end of the tax year in which the maternity period ends | The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended |
Statutory Sick Pay records, calculations, certificates, self- certificates | 3 years after the end of the tax year to which they relate | The Statutory Sick Pay (General) Regulations 1982 (SI 1982/894) as amended | |
Employee Files – General Exceptions | Records relating to working time | 2 years from date on which they were made | The Working Time Regulations 1998 (SI 1998/1833) |
Accident books, accident records/reports | 3 years after the date of the last entry | The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended. | |
Financial management – Payroll/Pension | Employee current and pay histories (equal Pay register) | 7 years after the employee leaves the organization | |
Internal Payroll Spreadsheet | 7 years after the employee leaves the organization | ||
Sage reports | 7 years after the employee leaves the organization | ||
Internal Pension Report Pension for Aegon | 7 years after the employee leaves the organization | ||
Child care vouchers, CSA payments | 7 years after the employee leaves the organization | ||
HMRC tax deduction data (P45 & P60 data) | 7 years after the employee leaves the organization | ||
P11d’s Car and medical benefits | 7 years after the employee leaves the organization | ||
Office of national statistics data | 7 years after the employee leaves the organization | ||
Company Loan data | 7 years after the employee leaves the organization |
The information contained herein is intended to provide a general overview of the Company’s policies and procedures relating to compliance with this Policy and does not constitute legal advice or a complete description of the laws and regulations relating to this Policy. The Company has made every effort to ensure the accuracy and completeness of this Policy. This document is intended to provide guidance to employees of Company on how to comply with applicable laws and regulations related to this Policy. Employees should consult with the Legal or Compliance Department if they have any questions about the Policy or how to comply with it. Company reserves the right to modify or update this Policy at any time without notice. Employees are responsible for reviewing the Policy on a regular basis to ensure that they are aware of any changes. This Policy applies to all employees of Company, regardless of their position or location unless stated otherwise in the Policy. Employees are responsible for complying with the Policy and for reporting any suspected violations to their respective supervisor, the Legal Department, AMLCO or respective recipient of such violation as outlined in this Policy.
Copyright © GiveCorporation Inc. All Rights Reserved