Hard Copy Material Destruction

Hard copy is still a live risk in card environments because it bypasses many of the controls you’ve built for electronic data. PCI DSS 9.4.6 is direct: if paper contains cardholder data, you must store it securely until you destroy it, and destruction must make the data unrecoverable (PCI DSS v4.0.1 Requirement 9.4.6). That sounds simple, but most audit findings come from operational gaps: unclear scope (what counts as “cardholder data” on paper), inconsistent practices across sites, unsecured “to-be-shredded” bins, and third-party shredding services with weak oversight.

This page is written for a Compliance Officer, CCO, or GRC lead who needs to operationalize the requirement fast. You’ll get a plain-English interpretation, who and what is in scope, step-by-step procedures you can implement, the evidence package to retain, and the exam questions that cause delays. Where helpful, you’ll also see how to translate the requirement into assignable tasks for facilities, IT, call centers, retail operations, and third parties that handle your paper.

Regulatory text

PCI DSS 4.0.1 Requirement 9.4.6 states: “Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons as follows: materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed, and materials are stored in secure storage containers prior to destruction.” (PCI DSS v4.0.1 Requirement 9.4.6)

What the operator must do (plain-English)

You must run a repeatable operational process that:

1. Identifies hard-copy materials that contain cardholder data (CHD).
2. Keeps those materials secured while they wait to be destroyed (locked bins/containers with controlled access).
3. Destroys the materials using an approved method (cross-cut shredding, incineration, or pulping) so the CHD cannot be reconstructed (PCI DSS v4.0.1 Requirement 9.4.6).
4. Triggers destruction when the material is no longer needed for business or legal reasons (PCI DSS v4.0.1 Requirement 9.4.6).

This is not just a “buy shredders” requirement. It is a lifecycle control: creation/receipt → storage → transport (if any) → destruction → evidence.

Who it applies to

PCI DSS 9.4.6 applies to any entity in scope for PCI DSS that handles CHD in hard copy, including merchants, service providers, and payment processors (PCI DSS v4.0.1 Requirement 9.4.6).

Typical in-scope operational contexts

• Retail: printed receipts, chargeback packets, paper order forms.
• Call centers: notes taken during calls, faxed authorization forms.
• Back office: mailed-in payment forms, archived statements, disputes.
• Shipping/fulfillment: packing slips or paperwork that inadvertently includes CHD.
• Corporate functions: HR or legal files that contain CHD due to reimbursement documentation or expense artifacts.
• Third parties: offsite storage, shredding vendors, print/mail houses handling customer correspondence that contains CHD.

What you actually need to do (step-by-step)

1) Define scope: what hard-copy “cardholder data” means for you

Create a short scoping note and align it with your data handling standards:

• Examples to explicitly classify: full PAN, PAN with cardholder name, and any paper that could be used to reconstruct PANs from fragments.
• List your paper sources (receipts, forms, chargebacks, mail, faxes, printer output, exception reports).

Deliverable: Hard-copy CHD inventory by site/function (even if it’s a one-page table).

2) Set retention triggers: “no longer needed for business or legal reasons”

PCI DSS does not prescribe retention periods; it requires destruction once the material is no longer needed (PCI DSS v4.0.1 Requirement 9.4.6). Operationalize this by:

• Identifying who decides “needed” (Legal, Finance, Operations).
• Mapping each paper type to a retention rule (e.g., “until dispute window closes,” “until reconciliation complete,” “per legal hold”).

Deliverable: Records retention + destruction rules for hard-copy CHD (as an addendum to your enterprise retention schedule).

3) Lock down pre-destruction storage

The requirement is explicit that materials are “stored in secure storage containers prior to destruction” (PCI DSS v4.0.1 Requirement 9.4.6). Minimum operational controls:

• Use locked shred bins or locked consoles, not open “recycling” or “to shred” boxes.
• Place bins in access-controlled areas where feasible (cash office, secure mailroom).
• Restrict who can insert/remove contents if your bin design allows it.
• If you transport paper internally (store → back office), define a secure transfer method (sealed bag, locked cart) and assign accountability.

Deliverables: Bin placement plan, access control rules, and a transfer procedure.

4) Implement approved destruction methods (and disallow everything else)

Approved methods are: cross-cut shredding, incineration, or pulping, and the result must prevent reconstruction (PCI DSS v4.0.1 Requirement 9.4.6).

• If you shred onsite, confirm shredders are cross-cut, placed to support workflow, and maintained.
• If you shred offsite, confirm the third party’s process results in cross-cut shredding (or pulping/incineration) and that your contracts and oversight match your risk.
• Prohibit strip-cut shredders and “tear by hand” practices for CHD-bearing materials.

Deliverables: Destruction standard, approved equipment list, and disallowed methods list.

5) Build a chain-of-custody model that fits your operations

Auditors will test whether paper can “walk out the door” between collection and destruction. Choose one of these patterns and document it:

• Onsite destruction: staff place CHD into locked bins, authorized staff shred on a schedule, supervisor signs a destruction log.
• Offsite shredding service: locked bins collected by vetted third party, sealed transport, certificate or log returned, periodic witness/destruction verification.

Deliverable: Chain-of-custody procedure with roles (RACI) for each site type.

6) Train the people who touch paper

Make training targeted and job-specific:

• Frontline: what goes in locked bins, what must never go in regular trash, how to handle misprints.
• Supervisors: how to review logs and spot breakdowns.
• Facilities/mailroom: bin swaps, access control, incident escalation.

Deliverables: Training module, acknowledgments, and role-based job aids near printers and mail intake.

7) Monitor and test (small, repeatable checks)

You do not need complicated metrics; you need consistent verification:

• Walkthrough checks: bins locked, not overflowing, not stored in public areas.
• Spot checks: are destruction logs filled out; do they match the pickup schedule.
• Exceptions: printer jams/misprints handled as CHD until proven otherwise.

Deliverable: Monthly/quarterly control check checklist and documented findings.

8) Third-party due diligence (if destruction is outsourced)

If a third party handles your locked bins, transport, or destruction:

• Contractually require methods aligned to cross-cut shredding/incineration/pulping and non-reconstructability (PCI DSS v4.0.1 Requirement 9.4.6).
• Require evidence (pickup logs, certificates, service tickets) and define retention of those records.
• Perform periodic service reviews and document issues.

Practical note: Daydream can centralize third-party evidence collection (pickup logs, certificates, contract clauses, review notes) so you can answer assessor questions without chasing each location.

Required evidence and artifacts to retain

Keep artifacts that prove the control operates, not just that it exists.

Core documents

• Hard-copy CHD handling and destruction procedure referencing approved methods and secure containers (PCI DSS v4.0.1 Requirement 9.4.6)
• Records retention rules for each CHD paper type (business/legal triggers) (PCI DSS v4.0.1 Requirement 9.4.6)
• Third-party contracts/SOWs (if applicable) requiring compliant destruction and secure handling (PCI DSS v4.0.1 Requirement 9.4.6)

Operational records

• Destruction logs (onsite) or pickup/destruction records (offsite)
• Bin inventories and locations per site
• Training completion and acknowledgments for relevant roles
• Exception/incident records (lost paper, unlocked bins, overflow, missed pickup)
• Control check results (site walkthrough checklists, supervisor attestations)

What assessors often accept as “strong” evidence

• A small set of consistent, dated logs across sites.
• Evidence that exceptions are tracked and fixed.
• Proof that offsite shredding is controlled, not assumed.

Common exam/audit questions and hangups

Expect these lines of questioning:

• “Show me where hard-copy CHD exists and how it flows to destruction.”
• “Where are the secure containers, and who can access them?” (PCI DSS v4.0.1 Requirement 9.4.6)
• “Is your shredder cross-cut, and how do you ensure paper can’t be reconstructed?” (PCI DSS v4.0.1 Requirement 9.4.6)
• “How do you decide when paper is no longer needed for legal reasons?” (PCI DSS v4.0.1 Requirement 9.4.6)
• “If a third party destroys it, what evidence do you get and how do you review it?”
• “What happens at small sites with limited space or shared facilities?”

Frequent implementation mistakes (and how to avoid them)

1. Open ‘to-be-shredded’ boxes under desks
   Fix: locked consoles/bins only; remove ad hoc collection points.

2. Confusing “we have shredders” with “we have a destruction process”
   Fix: add chain-of-custody, schedules, and logs tied to roles.

3. Strip-cut shredders in the field
   Fix: standardize procurement to cross-cut shredders and inspect periodically (PCI DSS v4.0.1 Requirement 9.4.6).

4. No retention trigger, so paper piles up
   Fix: define business/legal owners and enforce routine destruction cycles based on “no longer needed” (PCI DSS v4.0.1 Requirement 9.4.6).

5. Outsourced shredding with no oversight
   Fix: require documented pickups/destruction records and periodic service review, retain artifacts centrally.

Enforcement context and risk implications

No public enforcement cases were provided in the supplied source catalog for this requirement. Practically, hard-copy failures still create real exposure: physical theft, dumpster diving, and accidental disposal can trigger incident response and card brand scrutiny because CHD is directly compromised. Treat paper as a high-risk CHD pathway because it bypasses many detective controls that exist for systems.

Practical 30/60/90-day execution plan

First 30 days (stabilize and stop obvious gaps)

• Identify all hard-copy CHD sources by function and site.
• Remove open collection boxes and replace with secure containers (PCI DSS v4.0.1 Requirement 9.4.6).
• Confirm destruction method at each site (cross-cut shredding/incineration/pulping) and remediate noncompliant shredders (PCI DSS v4.0.1 Requirement 9.4.6).
• Draft a one-page procedure and interim logging for destruction/pickups.

Next 60 days (standardize and evidence the control)

• Publish a formal hard-copy CHD destruction standard that includes pre-destruction secure storage and approved methods (PCI DSS v4.0.1 Requirement 9.4.6).
• Finalize retention triggers with Legal/Records owners tied to “no longer needed.”
• Implement role-based training and job aids at printers, registers, and mail intake.
• Stand up a central repository for artifacts (logs, certificates, contracts). If you use Daydream, set up a recurring evidence request workflow for each site and third party.

Next 90 days (prove it works at scale)

• Run site walkthroughs and document outcomes.
• Perform a first periodic review of outsourced shredding providers (if used): check contract terms, evidence quality, and missed pickups.
• Test incident handling with a tabletop: “bin found unlocked,” “paper missing,” “pickup skipped.”
• Tune the process: bin placement, pickup frequency, supervisor checks, and exception thresholds.

Frequently Asked Questions

Do we have to shred onsite, or can we use an offsite shredding service?

Offsite shredding can meet the requirement if materials are kept in secure containers prior to destruction and the third party’s process destroys paper via cross-cut shredding, incineration, or pulping so CHD can’t be reconstructed (PCI DSS v4.0.1 Requirement 9.4.6). Keep pickup/destruction evidence and show oversight.

What counts as a “secure storage container” before destruction?

A secure container is one that prevents casual access and removal of documents before destruction, typically a locked shred bin or console in a controlled area (PCI DSS v4.0.1 Requirement 9.4.6). Document where containers are located and who manages them.

Are strip-cut shredders acceptable if we shred frequently?

The requirement specifies cross-cut shredding (or incineration/pulping) so that CHD cannot be reconstructed (PCI DSS v4.0.1 Requirement 9.4.6). Treat strip-cut shredders as noncompliant for CHD-bearing materials.

How do we decide when paper is “no longer needed for business or legal reasons”?

Assign ownership to the teams that set retention needs (often Legal, Finance, Operations) and map each CHD paper type to a retention trigger (PCI DSS v4.0.1 Requirement 9.4.6). Auditors will expect a consistent rule, not ad hoc decisions.

Do we need certificates of destruction for every shred event?

PCI DSS 9.4.6 requires secure pre-destruction storage and irrecoverable destruction, but it does not prescribe a specific evidence format (PCI DSS v4.0.1 Requirement 9.4.6). Keep logs or third-party records that let you prove what was destroyed, when, by whom, and under what process.

What if our receipts show only truncated PAN—does this requirement still apply?

The requirement applies to “hard-copy materials with cardholder data” (PCI DSS v4.0.1 Requirement 9.4.6). Classify your receipt formats in your hard-copy inventory and align handling to your CHD definition; if it is CHD in your environment, apply secure storage and approved destruction.