The 3/4 digit code on the back of the card cannot be retained.
That may be a rule. But, not every merchant follows it.
Part of the PCI audit requires demonstrating that you don't store these.
That's interesting. Because Janelonline requires international customers to email the scans of their credit card, and the law requires also that they keep any emails used in business transactions around for a period of time, I think it may be 7 years.
So, which law do you think they keep, and which they break?
If they delete the email, they violate the law requiring them to keep this communication, but they'd be in compliance with the PCI rule.
If they keep the email, they violate the PCI rule, but then they are in compliance with the law requiring business to maintain a record of their digital communications.
So, what do they do?