PCI DSS 9.4.6: Destroy Hard-Copy CHD Media When No Longer Needed
Hard-copy documents containing cardholder data represent a significant breach risk if not properly destroyed. PCI DSS 9.4.6 requires organizations to establish and enforce procedures for securely destroying physical materials containing CHD when business or legal retention periods expire. Failing to implement proper destruction controls can leave sensitive payment card information vulnerable to unauthorized access.
What this means
This control mandates that any physical documents, forms, reports, or materials containing cardholder data (CHD) must be destroyed in a secure manner once they are no longer needed for legitimate business operations or legal compliance requirements. Organizations must determine appropriate retention periods based on business necessity and legal obligations, then establish documented processes to ensure complete and irreversible destruction of CHD-containing materials. This includes items such as printed transaction receipts, access logs, reports, and records that contain full PAN, expiration dates, or security codes.
How to comply
- 1.Identify all physical materials and documents that contain cardholder data across your organization
- 2.Define retention periods for CHD-containing hard-copy materials based on business and legal requirements
- 3.Establish secure destruction methods such as cross-cut shredding, incineration, or approved pulping for paper documents
- 4.Document and enforce destruction procedures in your information security policy
- 5.Designate responsible personnel to oversee and verify destruction activities
- 6.Maintain records of destruction activities with dates, materials destroyed, and method used
- 7.Conduct regular audits to ensure destruction procedures are being followed consistently
- 8.Review and update destruction procedures annually or when retention requirements change
Evidence auditors look for
- Documented hard-copy media destruction policy with retention schedules
- Records of shredding or destruction services contracted with third parties
- Certificates of destruction from approved waste management vendors
- Inventory logs showing CHD materials removed from storage and destroyed
- Signed destruction request forms with authorization and completion dates
- Audit trail showing periodic verification of destruction compliance
- Photos or video documentation of in-house destruction activities
- Retention schedules by document type with corresponding destruction dates
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates destruction schedule tracking and generates documented evidence of hard-copy CHD destruction activities, eliminating manual tracking and providing auditable proof of 9.4.6 compliance.
See how GRCWatch handles this control automatically
Start free trial