Appendix A: Data retention (Payment API)

Owned by Helen Griffith
Last updated: Mar 16, 2022

Due to the Payment API data retention policy, session data is available for a limited time. The time that data is available for varies according to the type of data:

  • Personally identifiable information (PII) is available for 15 minutes after session is finished. Any PII will be contained within the paymentResultData parameter; removing this parameter will remove this sensitive information.

If the payment session information is pushed to a webhook, paymentResultData information is removed 15 minutes after the webhook successfully delivers the information.
If the webhook notification fails, VCC retries for up to 12 hours to deliver the information and paymentResultData is removed after successful delivery. After 12 hours, the delivery attempt expires and the data is removed.

  • General session information (session identifiers and metadata—does not include anything from the paymentResultData field) is available for 90 days after the last session state change (to Finished, Error, TimeOut or ExpiredOnProviderSide).

If the payment session information is pushed to a webhook, the 90 day begins after the webhook successfully delivers the information or the delivery attempts expire.