Storing track data after authorization is never permitted. It doesn’t matter what an organization is doing with the track data, they are not permitted to store it after authorization. The only exception may apply to issuers and/or issuer processors. Issuers or issuer processors are only allowed to retain sensitive authentication data for legitimate business reasons. A legitimate reason is one that is necessary for the performance of the function being provided and not one of convenience. Specific issuer requirements are defined according to the payment card brand that they’re issuing on behalf of. At their discretion, the payment card brands may also impose additional requirements for issuers regarding handling of sensitive authentication data.
This applies even if the data is protected by encryption, password protection, data scrambling/obfuscation, masking, proprietary data formats, or other mechanisms.