3.1.1 Implement a data retention and disposal policy that includes:
Limiting data storage amount and retention time to that which is required for legal, regulatory, and business requirements.
Processes for secure deletion of data when no longer needed.
Specific retention requirements for cardholder data.
A quarterly automatic or manual process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements.