GRCWatch
Sign inStart free trial

PCI DSS 9.4.7: Destroying Electronic Media with Cardholder Data

Cardholder data doesn't disappear when you delete a file—it remains recoverable until properly destroyed. PCI DSS 9.4.7 requires your organization to permanently eliminate electronic media containing CHD when no longer needed for business or legal purposes. This control prevents data breaches from improperly discarded storage devices, backups, and systems.

What this means

Electronic media holding cardholder data—including hard drives, SSDs, USB devices, tape backups, and cloud storage—must be securely destroyed when retention requirements are met. Deletion alone is insufficient; you need cryptographic erasure, physical destruction, or certified degaussing to ensure data cannot be recovered. Organizations must maintain an inventory of media containing CHD and document destruction methods and dates.

How to comply

  1. 1.Maintain an inventory of all electronic media storing cardholder data, including backup systems and archived files
  2. 2.Establish data retention policies that specify how long CHD must be kept for business and legal requirements
  3. 3.Select appropriate destruction methods: cryptographic overwriting, degaussing, or physical destruction verified by third parties
  4. 4.Use certified media destruction vendors who provide written proof of destruction for regulatory audits
  5. 5.Document all destruction activities with dates, methods, media identifiers, and personnel responsible
  6. 6.Implement secure deletion standards (e.g., NIST guidelines) for on-premises systems before decommissioning
  7. 7.Train IT and operations staff on proper media disposal procedures and security requirements
  8. 8.Conduct periodic audits to verify that end-of-life media is destroyed according to policy

Evidence auditors look for

  • Media inventory logs showing CHD storage locations and retention schedules
  • Written data destruction policy approved by management
  • Certificates of destruction from certified e-waste vendors including media serial numbers
  • Cryptographic erasure logs with timestamps and employee signatures
  • Third-party audit reports confirming media destruction compliance
  • Decommissioning checklists documenting secure wipe procedures for retired equipment
  • Training records proving staff understand media destruction requirements
  • Quarterly destruction audit reports and reconciliation of media inventory

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates CHD media inventory tracking, destruction scheduling, and audit-ready documentation so your team never misses a destruction deadline or forgets to record vendor certificates.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 9.4.1 — Protect Electronic Media in TransitPCI DSS 9.4.2 — Track and Manage Portable MediaPCI DSS 9.4.3 — Restrict Access to Media with CHDPCI DSS 3.2.1 — Do Not Retain Full Magnetic Stripe Data