What must issuers or issuer processors ensure when retaining sensitive authentication data?

Issuers or issuer processors must ensure that the retention of sensitive authentication data is necessary for business functions. This aligns with PCI DSS requirements, which dictate that sensitive authentication data—such as full magnetic stripe data, card verification codes, and PINs—should not be stored after authorization, unless absolutely necessary for specific business purposes. This means that when such data is retained, it must be justified and essential for meeting operational or legal requirements, thereby minimizing the risk of exposure and misuse.

Retaining such sensitive data indefinitely (option C) or for competitive reasons (option D) is not aligned with PCI DSS standards, as these practices increase potential vulnerabilities. Similarly, ensuring convenience (option A) does not address the critical security implications associated with the storage of sensitive authentication data, which must prioritize security over convenience.