2.1 Software vendor must provide guidance to customers regarding purging of cardholder data after expiration of customer-defined retention period.
PCI Data Security Standard Requirement 3.1
Testing Procedures:
2.1.a Review the PA-DSS Implementation Guide prepared by the vendor and verify the documentation includes the following guidance for customers and resellers/integrators:
[ul]
[li] That cardholder data exceeding the customer-defined retention period must be purged[/li][li] All locations where the payment application stores cardholder data (so that customer knows the locations of data that needs to be deleted).[/li][/ul]