← Back to Blog

PCI DSS COMPLIANCE

PCI DSS Device Disposal: Compliant Destruction of Payment Equipment and Cardholder Data

Every business that accepts credit card payments handles cardholder data. That data touches more devices than most merchants realize -- from the point-of-sale terminal at the counter to the payment gateway server in the back office, from the workstation where chargebacks are processed to the backup tapes archived in offsite storage. When any of these devices reach end of life, the PCI Data Security Standard (PCI DSS) imposes specific requirements for how the data must be destroyed.

With PCI DSS v4.0 now fully in effect as of March 2025, the requirements for media destruction have been clarified and in some areas strengthened. This guide covers what merchants, payment processors, and service providers need to know about disposing of devices that store, process, or transmit cardholder data.

PCI DSS v4.0 Requirement 9.4.6: Media Destruction

Requirement 9.4.6 of PCI DSS v4.0 states that hard-copy materials and electronic media containing cardholder data must be destroyed when no longer needed for business or legal reasons. The requirement specifies that the destruction must render cardholder data unrecoverable so that it cannot be reconstructed.

The standard provides specific guidance on acceptable destruction methods:

  • For electronic media: The data must be rendered unrecoverable through a secure wipe program (in accordance with industry-accepted standards for secure deletion), degaussing, or physical destruction of the media (such as shredding).
  • For hard-copy materials: Cross-cut shredding, incineration, or pulping such that cardholder data cannot be reconstructed.

Importantly, Requirement 9.4.6 works in conjunction with several other PCI DSS requirements:

  • Requirement 3.1: Data retention and disposal policies must define the storage amount and retention time for all cardholder data, with quarterly processes to identify and securely delete data that exceeds the defined retention period.
  • Requirement 9.4.7: Electronic media with cardholder data stored in secure facilities must be destroyed or rendered unrecoverable when no longer needed.
  • Requirement 12.10.1: The incident response plan must address the handling of compromised media and devices.

Which Devices Store Cardholder Data?

Cardholder data -- defined by PCI DSS as the primary account number (PAN), cardholder name, expiration date, and service code -- can reside on a surprisingly wide range of devices. Sensitive authentication data (full track data, CAV2/CVC2/CVV2/CID, and PINs) is even more restricted and must never be stored after authorization, but may exist transiently on devices during processing.

Point-of-Sale Terminals and Pin Pads

Modern POS terminals contain internal memory and sometimes local storage that processes and temporarily stores cardholder data during transactions. Even terminals that claim to use point-to-point encryption (P2PE) may retain transaction logs, error logs, or configuration data that includes cardholder information. When POS hardware is replaced, these devices require secure disposal.

Payment Servers and Gateways

On-premises payment processing servers, payment gateway appliances, and transaction routing systems contain the highest volumes of cardholder data. These servers may store transaction records, batch files, settlement data, and log files containing full or partial card numbers.

Workstations

Any computer used for payment processing, chargeback management, reconciliation, or customer service with access to payment systems may contain cardholder data in application caches, local databases, exported reports, email attachments, or browser data.

Network Equipment

Firewalls, routers, and switches within the cardholder data environment (CDE) contain configuration data, access control lists, and potentially packet captures or logs that include cardholder data. Network equipment is frequently overlooked during disposal because it is not perceived as a data storage device.

Backup Media

Backup tapes, external drives, and backup server storage contain copies of cardholder data from production systems. Backup media often has the longest retention period and the highest risk because it contains aggregated data from multiple systems over extended timeframes.

Mobile and Wireless Devices

Mobile payment devices, tablets used as POS terminals, and wireless payment accessories (such as Bluetooth card readers) all require secure disposal when retired.

Acceptable Destruction Methods Per PCI Standards

PCI DSS v4.0 references industry-accepted standards without mandating a single specific method. In practice, Qualified Security Assessors (QSAs) evaluate destruction methods against the NIST 800-88 framework. Here is how each method applies to payment devices:

Software-Based Secure Wipe

A full-disk overwrite using a NIST 800-88 Purge-level method. For HDDs, this means at least a single-pass overwrite with verification. For SSDs and flash storage, this requires manufacturer-specific Secure Erase or cryptographic erasure commands that address wear-leveled and over-provisioned areas. Software wipes are acceptable for devices that will be reused or resold, but the method must be validated as appropriate for the specific media type.

Degaussing

Effective for magnetic hard drives and tape media. The degausser must be rated for the coercivity of the media being processed. Modern high-density drives require degaussers rated at 10,000 Gauss or higher. Degaussing is not effective on SSDs, flash drives, or optical media and should never be used as the sole destruction method for these media types.

Physical Destruction -- Shredding

The most definitive destruction method and the one most commonly accepted by QSAs without additional questions. For PCI compliance, the standard expectation is cross-cut shredding that reduces media to particles no larger than 2mm by 15mm for paper and renders electronic media into fragments small enough that reconstruction is infeasible. Industrial hard drive shredders produce output typically smaller than 25mm.

Incineration

Complete incineration of electronic media is acceptable but less commonly used due to environmental regulations and the practical challenges of incinerating metal and plastic components. When used, it must be performed at a licensed facility with documented proof of destruction.

QSA Audit Requirements for Device Disposal

During a PCI DSS assessment, your Qualified Security Assessor will evaluate your media destruction practices. Here is what QSAs typically examine:

  • Written media destruction policy: A documented policy that defines which media types require secure destruction, acceptable methods for each type, responsible parties, and documentation requirements.
  • Media inventory: A current inventory of all media that stores cardholder data, including the media type, location, and classification.
  • Destruction logs: Records of all media destruction events, including the date, media type, serial number or identifier, destruction method, and the individual who performed or witnessed the destruction.
  • Vendor contracts: If using a third-party destruction vendor, the contract must require that the vendor meet PCI DSS requirements for media destruction and provide detailed destruction certificates.
  • Quarterly review evidence: Per Requirement 3.1, evidence that the organization conducts quarterly reviews to identify and destroy cardholder data that has exceeded its defined retention period.
  • Hardcopy destruction methods: QSAs will verify that cross-cut shredders (not strip-cut) are used for paper containing cardholder data and that shredder output size meets security requirements.

A common audit finding is the absence of destruction logs or the use of generic certificates that do not identify specific media by serial number. QSAs require granular, per-device documentation to verify that all media has been accounted for and properly destroyed.

Chain of Custody for Payment Devices

PCI DSS Requirement 9 (Restrict Physical Access to Cardholder Data) extends to the entire lifecycle of payment devices, including the period between decommission and destruction. A compliant chain of custody process includes:

  1. Secure decommission: When a device is removed from the CDE, it must be tagged, logged, and placed in a secured staging area with access controls equivalent to the CDE itself.
  2. Inventory reconciliation: Every device removed from the CDE must be tracked against the media inventory. Any discrepancies (missing devices, unaccounted serial numbers) must be investigated as a potential security incident.
  3. Secure transport: If devices are transported to a destruction facility, the transport must use locked containers, tracked vehicles, and documented handoff procedures. Never ship payment devices via standard carrier without encryption or physical security.
  4. Witnessed destruction: For highest-risk media (payment servers, primary transaction databases), consider witnessed destruction where a company representative observes the physical destruction process.
  5. Documentation: Every handoff point -- from decommission to staging, staging to transport, transport to destruction facility, and destruction to certificate -- must be documented with dates, times, responsible individuals, and signatures.

Cross-Cut Shredding Requirements

PCI DSS explicitly calls out cross-cut shredding for hard-copy materials, and the principle extends to electronic media. Strip-cut shredders, which produce long uniform strips, do not meet PCI requirements because the strips can potentially be reassembled. Key specifications for PCI-compliant shredding:

  • Hard-copy materials: Cross-cut particle size of 5mm x 30mm or smaller (DIN 66399 Security Level P-4 or higher).
  • Electronic media (hard drives): Industrial shredding to a particle size small enough that data recovery is infeasible. Most certified shredding services produce particles in the 13mm to 25mm range.
  • SSDs and flash media: Physical destruction must account for the small size of NAND flash chips. Shredding to a finer particle size is necessary because individual flash chips are small enough to potentially survive coarse shredding intact.

Common PCI Disposal Mistakes

  • Returning leased POS equipment without wiping: Leased terminals returned to the leasing company with transaction data intact. The merchant remains responsible for data protection even on leased equipment.
  • Forgetting network equipment: Firewalls and switches within the CDE contain configuration data, VPN credentials, and potentially cardholder data in logs. These require the same disposal rigor as servers.
  • Using consumer-grade deletion: Deleting files or formatting drives does not meet PCI requirements. Data remains recoverable with forensic tools.
  • No quarterly disposal cycle: Allowing decommissioned CDE equipment to accumulate in storage rooms violates the quarterly review requirement and extends the attack surface.
  • Incomplete scope: Failing to include all devices that interact with the CDE -- including printers, fax machines, and document scanners used for payment processing -- in the disposal program.

Building a PCI-Compliant Disposal Program

  1. Map your cardholder data environment: Identify every device type that stores, processes, or transmits cardholder data, including transient storage.
  2. Define retention periods: Work with legal and finance to establish how long each category of cardholder data must be retained (remembering that PCI DSS prohibits storing sensitive authentication data after authorization under any circumstances).
  3. Document acceptable destruction methods: For each media type in your CDE, specify which destruction methods are approved and the minimum standards for each.
  4. Establish quarterly review cycles: Schedule and document quarterly reviews to identify media that has exceeded its retention period and route it to destruction.
  5. Select a qualified vendor: Choose a data destruction vendor with NAID AAA certification and experience with PCI-scoped environments. Verify they can provide the serial-number-level documentation your QSA will require.
  6. Implement chain of custody controls: Document every stage from decommission through destruction with dates, responsible parties, and signatures.
  7. Prepare for the QSA: Maintain an organized file of destruction certificates, vendor contracts, policy documents, and quarterly review records that can be presented during your annual assessment.

Getting Started

If your organization needs to dispose of POS terminals, payment servers, or any equipment from your cardholder data environment, we provide PCI-compliant destruction services with the documentation your QSA expects. Our process includes cross-cut shredding for media requiring physical destruction, NIST 800-88 Purge-level sanitization for reusable equipment, serial-number-level certificates, and full chain of custody documentation.

Request a quote or call 833-96-CYCLE to discuss your PCI disposal requirements.

Need PCI-Compliant Device Disposal?

We provide NAID-certified destruction of payment devices and CDE equipment with serial-number-level documentation for your QSA audit. Cross-cut shredding and NIST 800-88 sanitization available.

Get a Free Quote Call 833-96-CYCLE