PCI DSS Media Disposal: Requirement 9.4 and Destroying Cardholder Data Media

What Is PCI DSS Media Disposal?

The Payment Card Industry Data Security Standard (PCI DSS) is the security standard maintained by the PCI Security Standards Council for organizations that handle branded payment cards. Requirement 9 protects physical access to cardholder data, and Requirement 9.4 governs the management and destruction of media that stores it. The current version is PCI DSS v4.0.1, published June 2024.

Publisher: PCI Security Standards Council (founded by the major card brands)
Key citations: Requirement 9.4.5 (media inventory), 9.4.6 (hardcopy destruction), 9.4.7 (electronic media rendered unrecoverable)
Legal force: Contractual standard enforced by the card brands through acquiring banks, not a government law.

PCI DSS is mandatory by contract for any entity in the payment chain, even though it is not a statute. An organization agrees to comply as a condition of accepting card payments. Requirement 9.4 closes the disposal gap: cardholder data on retired drives, backup tapes, and paper must be destroyed so it cannot be recovered.

What Does PCI DSS Require for Media Destruction?

PCI DSS Requirement 9.4 requires entities to classify and inventory media containing cardholder data, control its storage and movement, and destroy it when it is no longer needed for business or legal reasons so that cardholder data cannot be reconstructed.

Inventory and classification (9.4.5)

Media containing cardholder data must be classified and inventoried so the organization knows what it holds and can account for it through disposal. An accurate inventory is the precondition for a defensible destruction record.

Hardcopy destruction (9.4.6)

Hardcopy materials must be destroyed when no longer needed for business or legal reasons by cross-cut shredding, incinerating, or pulverizing so that cardholder data cannot be reconstructed. Storage containers for material pending destruction must be secured.

Electronic media destruction (9.4.7)

Electronic media must be rendered unrecoverable so that cardholder data cannot be reconstructed, for example by secure wiping in line with accepted industry standards, or by physically destroying the media such as degaussing magnetic media or shredding drives. Industry guidance points to NIST SP 800-88 for the accepted methods.

Documentation expectation

A Qualified Security Assessor reviewing Requirement 9.4 expects evidence that media was destroyed: a destruction certificate, a serialized inventory, and the method used. This converts the destruction action into auditable proof.

Securing media pending destruction (9.4.6)

Requirement 9.4 does not begin at the moment of destruction; it covers the interval before it. Media awaiting destruction must be stored in secured containers so cardholder data cannot be retrieved while it sits in a bin or a holding area. This closes a common gap where drives and paper accumulate in an unlocked closet for weeks. A defensible program uses locked collection containers and a documented chain of custody from the point media is retired to the point it is destroyed, so there is no window in which cardholder data is exposed.

The customized-approach option in v4.0.1

PCI DSS v4.0.1 allows entities to meet a requirement either through the defined approach, which follows the stated method, or through a customized approach, which achieves the requirement’s objective by another means that the assessor validates. For media destruction the objective is constant: cardholder data must be rendered unable to be reconstructed. Whether an organization shreds, degausses, or securely wipes to an accepted standard, the assessor tests that the chosen method actually achieves irreversibility and that documentation proves it for each device.

How All Green Recycling Aligns to PCI DSS

All Green Recycling’s data destruction processes are operationally aligned to PCI DSS Requirement 9.4 for rendering cardholder data media unrecoverable. The company applies destruction methods that match the standard’s examples and produces the documentation a Qualified Security Assessor reviews.

All Green Recycling does not claim to be “PCI-certified” as a destruction vendor. PCI DSS validation applies to entities in the payment chain, and media destruction is a control those entities implement. The company states that its destruction methods satisfy the requirements of Requirement 9.4, and the merchant or service provider retains its own PCI DSS validation.

For the merchant or service provider, the benefit is a clean line of evidence into its assessment. The serialized inventory ties each destroyed device back to the media inventory required under 9.4.5, and the recorded method shows the assessor that cardholder data was rendered unrecoverable under 9.4.7. Rather than reconstructing what happened to retired terminals and drives at audit time, the entity holds a dated record produced at the moment of destruction.

Who Must Comply With PCI DSS Media Disposal?

PCI DSS applies to any organization that stores, processes, or transmits cardholder data, and to service providers whose services can affect the security of that data. Compliance obligations scale by merchant level, which is based on annual transaction volume, but the media-destruction requirement applies to all levels.

Covered organizations include retail merchants, e-commerce operators, restaurants and hospitality businesses, payment processors, and the service providers that support them, including data-destruction and IT asset disposition vendors. A retailer retiring point-of-sale servers and a processor decommissioning a storage array both must render the cardholder data on that media unrecoverable under Requirement 9.4.

The requirement reaches devices that organizations sometimes overlook. Point-of-sale terminals, back-office servers, payment-application workstations, backup tapes, and even printers that retain card images can all hold cardholder data, and each is media under Requirement 9.4. A hospitality operator refreshing terminals across many locations faces the same destruction obligation as a single store, multiplied across its estate. Because compliance is validated against the merchant or service provider rather than the disposal vendor, the entity in the payment chain remains responsible for ensuring every such device is inventoried and destroyed, even when a vendor performs the physical work.

Enforcement and Consequences

PCI DSS is enforced by the payment card brands through acquiring banks, not by a government agency. Consequences flow through contracts and can escalate to the loss of card-acceptance privileges.

Monthly fines: Acquiring banks can pass card-brand non-compliance fines to merchants, commonly ranging from $5,000 to $100,000 per month until compliance is restored.

Breach liability: A breach involving improperly disposed cardholder data media can trigger forensic-investigation costs, card-reissuance charges, and assessments for fraud losses.

Loss of card acceptance: A merchant that remains non-compliant or suffers a serious breach can be moved to a higher-risk category or lose the ability to accept card payments, which is an existential consequence for many businesses.

Frequently Asked Questions