What Is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements developed and maintained by the PCI Security Standards Council, an organization founded by Visa, Mastercard, American Express, Discover, and JCB. PCI DSS applies to any organization that stores, processes, or transmits cardholder data. Media disposal falls under Requirement 9, which governs physical access to cardholder data systems and media.
Governing standard: PCI DSS v4.0.1 (current as of June 2024)
Published by: PCI Security Standards Council (PCI SSC)
Enforced by: Payment card brands (Visa, Mastercard, American Express, Discover, JCB) through acquiring banks
Official source: pcisecuritystandards.org
Legal force: Contractual — merchants and processors accept PCI DSS compliance as a condition of their card acceptance agreements
PCI DSS is an industry standard, not a law. Non-compliance is enforced contractually by the card brands through acquiring banks. The practical consequences of non-compliance (fines, loss of card processing ability, breach liability) are significant enough that PCI DSS functions as a de facto requirement for any organization that accepts payment cards.
PCI DSS v4.0.1 note: Version 4.0.1 is a minor revision to v4.0 (March 2022) that corrects typographical errors and clarifies intent. The media disposal requirements (Requirement 9.4) are substantively identical between v4.0 and v4.0.1. Organizations that achieved v4.0 compliance do not need to recertify for v4.0.1 changes to the disposal requirements.
What PCI DSS v4.0.1 Requires for Media Disposal
Requirement 9 of PCI DSS v4.0.1 governs “Physical access to system components in the cardholder data environment.” Requirement 9.4 covers the full lifecycle of media containing cardholder data: storage, access, distribution, and destruction.
Requirement 9.4.6: Destruction of Hard-Copy Materials with Cardholder Data
Requirement: 9.4.6
Citation: PCI DSS v4.0.1, Requirement 9.4.6
What it requires: Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons via cross-cut shredding, incineration, or pulping such that cardholder data cannot be reconstructed.
Plain English: Paper containing cardholder data (receipts, printouts, reports) must be cross-cut shredded, incinerated, or pulped. The destruction must make reconstruction impossible. Standard strip-cut shredding, which can be reassembled, does not satisfy the requirement.
Requirement 9.4.7: Destruction of Electronic Media with Cardholder Data
Requirement: 9.4.7
Citation: PCI DSS v4.0.1, Requirement 9.4.7
What it requires: Electronic media with cardholder data is destroyed when it is no longer needed for business or legal reasons via physical destruction of the media or by rendering the cardholder data unrecoverable so that it cannot be reconstructed.
Accepted methods: Secure wipe programs in accordance with industry-accepted standards for secure deletion; degaussing; or physical destruction. NIST SP 800-88 r2 is the industry-accepted standard referenced by PCI assessors.
v4.0.1 update: Version 4.0.1 explicitly added solid-state devices requiring cryptographic erasure to the scope of electronic media destruction requirements, addressing a gap in earlier versions for SSDs and flash media.
Requirement 9.4.1: Secure Storage of Media with Cardholder Data
Requirement: 9.4.1
Citation: PCI DSS v4.0.1, Requirement 9.4.1
What it requires: All media with cardholder data is physically secured.
Relevance to disposal: Media awaiting destruction must be stored securely. Media in a box in an unlocked supply room pending shredding is a PCI compliance gap.
Requirement 9.4.5: Periodic Media Inventory
Requirement: 9.4.5
Citation: PCI DSS v4.0.1, Requirement 9.4.5
What it requires: Inventories of all electronic media with cardholder data are conducted at least once per year.
Relevance to disposal: A media inventory identifies assets that should be destroyed. The destruction record must reconcile against the inventory to demonstrate that all media identified in the inventory has been properly disposed of.
How Data Destruction Inc. Satisfies PCI DSS Requirement 9.4
Data Destruction Inc. provides retail data destruction and financial services data destruction services that satisfy PCI DSS v4.0.1 Requirements 9.4.6 and 9.4.7 through documented, NIST SP 800-88 r2 Destroy-level physical destruction.
| PCI DSS Requirement | DDI Service | NIST r2 Category | Documentation |
|---|---|---|---|
| 9.4.7 (electronic) | Hard drive shredding | Destroy (§3.1.3) | Certificate of Destruction with r2 section + serialized inventory |
| 9.4.7 (electronic) | Hard drive crushing | Destroy (§3.1.3) | Certificate of Destruction with r2 section + serialized inventory |
| 9.4.7 (SSD/flash) | SSD shredding | Destroy (§3.1.3) | Certificate of Destruction citing SSD-specific r2 section |
| 9.4.7 (electronic reuse) | Data wiping | Clear/Purge (§3.1.1/§3.1.2) | Certificate of Destruction + wipe report with method detail |
| 9.4.7 + witness | Witnessed destruction | All categories | CoD + signed witness page + chain-of-custody log |
Serialized Certificate of Destruction: The Certificate of Destruction from Data Destruction Inc. documents each asset individually with its serial number, making it possible to reconcile against the Requirement 9.4.5 annual media inventory. Aggregate-only certificates (one certificate for “50 drives” without individual serial numbers) do not satisfy PCI DSS’s per-device documentation requirement. DDI issues serialized certificates.
Who Must Comply with PCI DSS?
PCI DSS applies to any organization in the payment card data environment. The merchant and service provider levels vary based on annual transaction volume.
Merchants (by volume tier):
| Level | Annual Visa/Mastercard transactions | Assessment requirement |
|---|---|---|
| Level 1 | More than 6 million | Annual on-site assessment by Qualified Security Assessor (QSA) |
| Level 2 | 1-6 million | Annual Self-Assessment Questionnaire (SAQ) + quarterly network scan |
| Level 3 | 20,000-1 million e-commerce | Annual SAQ + quarterly network scan |
| Level 4 | Less than 20,000 e-commerce; all others | Annual SAQ (requirements set by acquiring bank) |
Service providers: Organizations that process, store, or transmit cardholder data on behalf of merchants (payment processors, hosting providers, managed security providers) face separate PCI DSS compliance levels.
Covered cardholder data: PCI DSS covers any media that stores Primary Account Numbers (PANs), including full or partial card numbers. Media that stored PANs but has since had the data encrypted, truncated, or tokenized may still require destruction if the original PAN was ever stored in readable form.
Enforcement and Penalties
PCI DSS is contractually enforced by card brands through acquiring banks. There is no federal law directly creating PCI DSS penalties, though state data breach laws and FTC Act enforcement can apply to breaches resulting from PCI non-compliance.
Card brand fines through acquiring banks: Visa and Mastercard issue fines to acquiring banks for non-compliant merchants. Fines range from $5,000 to $100,000 per month of non-compliance. Acquiring banks pass these fines to the merchant.
Post-breach consequences: forensic investigation costs; card reissuance costs charged back to the merchant ($5-$15 per reissued card); loss of the ability to accept Visa or Mastercard (card network disqualification); and increased transaction fees (higher interchange rates for non-compliant merchants).
Documented enforcement involving media disposal: Multiple retail breaches (2014-2024) have included forensic findings of improperly disposed POS terminal media. Acquirer fines in the range of $100,000 to $500,000 have been levied against merchants where improper media disposal contributed to a breach.
Cardholder Data Destruction: Method by Media Type
PCI DSS v4.0.1 Requirements 9.4.6 and 9.4.7 require that cardholder data on electronic and paper media be rendered unrecoverable when no longer needed. NIST SP 800-88 r2 Destroy-level methods satisfy the “accepted industry standards” requirement. Use this matrix to select the correct method for each media type in your cardholder data environment.
| Media Type | PCI DSS Requirement | NIST r2 Category | DDI Method |
|---|---|---|---|
| Hard drives (HDD) | Req. 9.4.7 — electronic media | Destroy (§3.1.3) | Hard drive shredding or crushing |
| Solid-state drives (SSD / NVMe) | Req. 9.4.7 — SSD explicitly addressed in v4.0.1 | Destroy (§3.1.3); Purge via CE if §3.2 conditions met | SSD shredding (required for final disposal) |
| POS terminal media | Req. 9.4.7 — any device that stored PANs | Destroy (§3.1.3) | Physical shredding / crushing |
| Paper receipts and cardholder printouts | Req. 9.4.6 — cross-cut shred, incinerate, or pulp | Physical destruction (per Req. 9.4.6) | Cross-cut shredding |
| Backup tapes | Req. 9.4.7 — electronic media | Destroy (§3.1.3) | Tape shredding / degauss + shred |
| Electronic media for reuse | Req. 9.4.7 — cardholder data unrecoverable | Clear or Purge (§3.1.1/§3.1.2) | Data wiping with per-device wipe report |
Regulations That Interact with PCI DSS Media Disposal
Merchants, processors, and service providers handling cardholder data often face overlapping obligations from related federal regulations. A single NIST SP 800-88 r2 Destroy-level destruction process and a serialized Certificate of Destruction satisfy all of the following simultaneously.
NIST SP 800-88 r2
The “accepted industry standard” for electronic media destruction under Req. 9.4.7
GLBA Safeguards Rule
Banks and payment processors face both PCI DSS and GLBA disposal obligations
FACTA Disposal Rule
Retailers using consumer reports for financing also face FACTA alongside PCI DSS
HIPAA Disposal Rule
Healthcare providers that accept payment cards face both PCI DSS and HIPAA obligations
FISMA
Federal payment systems (e.g., USPay, government card programs) face FISMA and PCI requirements
ISO 27001 / 27040
Global merchants may align PCI DSS Req. 9.4 with ISO Annex A.7.14 disposal controls
Authoritative Source and Official Standard
PCI DSS v4.0.1 · Requirements 9.4.6 and 9.4.7 — Media Destruction
Current: PCI DSS v4.0.1, June 2024. PCI DSS v4.0 compliance deadline was March 31, 2025.
PCI DSS v4.0.1 is current. Monitor pcisecuritystandards.org for PCI DSS v5.0 development timeline and any supplementary guidance on SSD and flash media disposal under Req. 9.4.7.
Frequently Asked Questions
Which specific PCI DSS requirements cover hard drive destruction?
PCI DSS v4.0.1 Requirement 9.4.7 covers electronic media destruction. It requires that cardholder data on electronic media be rendered unrecoverable via secure wipe programs meeting industry-accepted standards, degaussing, or physical destruction. NIST SP 800-88 r2 is the industry-accepted standard. For final disposal, physical destruction (NIST Destroy, Section 3.1.3) via shredding is the standard approach.
Does PCI DSS apply to SSDs and flash media?
Yes. PCI DSS v4.0.1 explicitly addresses solid-state devices in the media destruction requirements. SSDs, NVMe drives, USB flash drives, and other flash-based storage that contained cardholder data must be destroyed. Degaussing does not satisfy the requirement for SSDs, as it has no effect on flash storage. Physical shredding (NIST SP 800-88 r2 Destroy, Section 3.1.3) is the required method for end-of-life SSD disposal.
What documentation does a PCI QSA need for media disposal compliance?
A QSA evaluating Requirement 9.4 looks for: a written media handling policy, evidence of annual media inventory (9.4.5), records of media destruction (9.4.6 for paper, 9.4.7 for electronic), and confirmation that the destruction method meets accepted industry standards. The Certificate of Destruction from Data Destruction Inc. satisfies the electronic media destruction record requirement. The certificate must be serialized (one entry per device with serial number) to support reconciliation against the annual inventory.
Is PCI DSS a law or a contract requirement?
PCI DSS is an industry standard enforced contractually, not a federal law. Merchants and service providers accept PCI DSS compliance as a condition of their card network participation agreements. Card brands enforce compliance through acquiring banks, which can impose fines, require forensic investigations, or terminate the merchant’s ability to accept cards. However, breaches resulting from PCI non-compliance can trigger enforcement under the FTC Act (for unfair security practices) and state breach notification laws, creating legal exposure in addition to the contractual consequences.
How often does PCI DSS media disposal documentation need to be updated?
PCI DSS Requirement 9.4.5 requires an annual media inventory. Destruction records must be maintained for each disposal event. The retention period for PCI DSS audit records is generally 12 months of immediately available records with an additional 12 months of historical records, though specific merchant agreements or state laws may require longer retention. Certificates of Destruction from Data Destruction Inc. should be retained for at least 24 months as part of the PCI DSS evidence package.