The Payment Card Industry Data Security Standard (PCI DSS) was set up to help businesses (Merchants) process card payments securely to reduce card fraud.
The standard is achieved through tight controls surrounding the storage and transmission of cardholder data that businesses handle. There are 12 requirements of the PCI DSS – a full list can be found on The UK Card Association’s website.
Requirement 9 of the standard is to enforce measures that restrict the physical access to cardholder data. To meet this requirement the Merchant must securely dispose of any media that contains personal data. In the case of paper receipts and printouts it is important to remember that most paper shredders and paper shredding companies do not comply with PCI DSS. Strip cut shredding does not comply with the DSS. A compliant destruction process requires a secondary cut leaving the paper in tiny fragments. This is commonly called cross cut shredding and obscures payment card information to a level that the PCI DSS accepts as secure.
Many office shredders simply strip cut and many shredding companies do not have the capability to cross cut. If your organisation engages a shredding contractor that collects and shreds your confidential waste off-site part of your regular audit checklist should be to examine the shred outcome to ensure it is cross cut. If you employ an on-site shredding company you should ask the operator to demonstrate the cross cut capability on the shred truck and that is activated when shredding your confidential documents.
Non-compliance can result in fines and remedial efforts that could easily exceed £500,000. It can also risk exposing customers (consumers, staff and the general public) to fraud and identity theft. Breach of cardholder information can result in negative publicity and cause damage to an organisation’s reputation. Non-compliance may result in your acquiring bank withdrawing your ability to take card payments.
All Topwood’s shred trucks are Shred Tech MDX (X is for cross cut) and have the capability provide high security shredding.