Which of the following statements is true about data retention policies under PCI DSS?

The statement regarding data retention policies under PCI DSS that is accurate emphasizes that data retention should align with business needs and regulatory requirements. This is crucial because while organizations must manage cardholder data securely, they also need to consider legal and regulatory obligations that dictate how long certain types of data must be retained for compliance and business continuity.

By aligning data retention with both business needs and regulatory requirements, organizations ensure that they are not holding onto sensitive information longer than necessary while still meeting the required obligations, thereby minimizing risk and ensuring compliance with PCI DSS.

Retention policies must balance the necessity of keeping data for legitimate business purposes and the security implications associated with retaining sensitive payment card information. This helps in maintaining the integrity and security of a company's payment systems while ensuring compliance with PCI DSS stipulations concerning cardholder data.