3-5.3 Retention and Storage of Information

The retention and storage of information must be controlled as follows:

  1. All Postal Service information must be retained in accordance with legal retention requirements established by law (e.g., legal holds), and also with operational retention requirements established by the business owner with concurrence by the Postal Service Privacy and Records Office, Legal, and the Inspection Service (see Handbook AS-353).
  2. When the retention period or legal hold has expired, sensitive-enhanced, sensitive, and critical information must be properly destroyed as described in Disposal and Destruction of Information and Media. The process of removing expired information can be automated or manual.
  3. Sensitive-enhanced, sensitive, and critical information should be stored in a controlled area or a locked cabinet in accordance with established Postal Service policies and procedures.
  4. PII must not be stored or accessed on devices that are located outside of the United States.
  5. Sensitive-enhanced information must not be processed or stored in a public cloud.
  6. PCI and law enforcement information must be store in an enclave.
  7. Under no circumstances should nonpublicly available information be stored on a public Web site.
  8. Nonpublicly available Postal Service information must be isolated and stored separately from non-Postal Service information (e.g., business partner and vendor information) unless required by law or regulation. Nonpublicly available Postal Service information and non-Postal Service information must be stored separately at Postal Service facilities, non-Postal Service facilities, or at backup sites unless required by law or regulation.
  9. Payment cardholder information must not be copied or stored on local hard drives or removable electronic media as the result of accessing such data via remote access technologies.
  10. Payment cardholder electronic media must be inventoried and the inventory reconciled semiannually.
  11. Cardholder data storage must be kept to a minimum and retention time must be limited.
  12. The following PCI authentication data must not be stored (e.g., log files, history files, trace files, database contents, etc.) after completing the payment transaction under any circumstance:
    1. The full contents of any track from the magnetic stripe on the back of the card or contained in a chip on the card.
    2. The three-digit or four-digit card-validation code printed on the front of the card or the signature panel on the back of the card.
    3. PINs or the encrypted PIN blocks.
  13. Temporary storage of PCI authentication data must be deleted in a manner that makes the data unrecoverable.
  14. PANs must be rendered unreadable anywhere they are stored by one-way hash, truncation, indexed tokens, or strong cryptography.
  15. Retention of payment card data is defined in Handbook AS-353, Guide to Privacy, the Freedom of Information Act, and Records Management. A quarterly automatic or manual process must be implemented for identifying and securely deleting cardholder data that exceeds the defined retention requirement.
  16. Program-level and project-level TSLC artifacts and compliance records must be kept as long as the program/project is active and must be purged 27 months after the program/project is retired.