Which statement is true regarding storage of cardholder data?

Stored cardholder data that exceeds retention requirements needs to be removed on a quarterly basis reflects best practices in data security and compliance standards, such as the Payment Card Industry Data Security Standard (PCI DSS). This approach prioritizes reducing the risk of data breaches by minimizing the amount of sensitive data held by organizations. Compliance mandates often include specific guidelines regarding data retention and the secure disposal of cardholder information that is no longer needed for business or legal reasons.

It is important for organizations to understand the various retention requirements that apply to cardholder data and ensure that any data exceeding these limits is securely deleted. This not only helps in mitigating potential security risks but also aligns with legal and regulatory obligations for data protection.

The other choices, while discussing important aspects of cardholder data storage, do not represent universally applicable or correctly mandated practices. For example, storing all cardholder data indefinitely does not comply with data minimization principles. Encrypting stored cardholder data is a strong security measure, but it is not the sole requirement; organizations must also manage data retention effectively. Lastly, while cardholder data may be stored when not in use, this strategy alone does not address the risks or compliance obligations associated with the retention of sensitive data.