Is Your Paper Shredder PCI DSS Compliant? Advice For Small Business Owners

5 March 2015
 Categories: , Articles


All business owners must make sure they handle sensitive information responsibly. If you need to deal with payment card details, the PCI DSS sets out clear rules about the steps you must take to protect your customer's information. PCI guidelines even cover the steps you should take when you dispose of the information you no longer need. If you need to shred sensitive customer data, learn more about the steps you must take to comply with the PCI DSS.

An overview of the PCI DSS

Payment card fraud in the United States accounts for more than half of all the money lost in this way globally. In 2013, payment fraud in the United States cost $7.1 billion, an increase of 29 percent on the previous year. This type of fraud affects organizations of all sizes, and small business owners should never assume that criminals only want to target large organizations and retailers.

The payment card industry data security standard (PCI DSS) broadly covers six aspects of business operations. These include:

  • Secure networks to handle customer transactions
  • Methods to protect the customer data you hold
  • Software and operating system security tools against malicious attacks
  • Relevant access controls to sensitive card data
  • Monitoring and testing to make sure you continue to meet the rules
  • A formal security policy that covers everything you do

The PCI DSS gives your business a structured set of rules that you can follow in each of these aspects and offers considerable detail about the sort of protection you should build into your systems. That aside, not all businesses store card data electronically, and the PCI DSS also covers the storage and disposal of portable media, including paper records.

Why your paper shredder is such a vital tool

Small business owners often face an apparent conflict between the PCI DSS and the instructions that banks give. The merchant agreement you have with your bank to handle payment card transactions often means that you must keep detailed records of every purchase and refund, but the PCI DSS states that you must keep data storage to a minimum.

To meet the PCI DSS, you must protect the customer data you keep with a robust set of policies and business practices. The standard means that you must only keep card receipts and other paper documents for the minimum period, and you must also safely dispose of these records. Under these rules, your choice of paper shredder suddenly becomes crucial.

How your paper shredder could help anyone commit fraud

It's important to remember that some paper shredders do not comply with the PCI DSS. How is this possible?

Most businesses print office documents on A4 sheets of paper, either in landscape or portrait layouts. A strip shredder cuts these sheets in the same direction as the print. As such, the end product will still often reveal crucial information, especially if the shredder uses relatively wide strips.

While you may think it unlikely that a thief would use paper strips to commit fraud, you should think again. In the United States, the Department of Defense carried out a project to see if people could devise a program to help put shredded documents back together. The Department offered applicants a cash prize for the best solution that could turn five sheets of paper (that's 10,120 small strips) back into a readable document.

An American computer programmer designed software that scanned the pieces and then reconnected them based on connecting letters, patterns on the paper and other features. As the project team suspected, the work proved that shredded paper was a security risk.

PCI-compliant shredders

PCI-compliant paper shredders don't just cut the paper in strips. These devices (generally called cross-cut shredders) dissect documents in two directions, leaving tiny paper fragments. Tests show that these pieces make it almost impossible to put the sheets together again. More importantly, a cross-cut shredder obscures payment card information to a level that the PCI DSS accepts as secure.

You can use cross-cut shredders to dispose of other materials, too. Cross-cut shredding securely disposes of media CDs and DVDs. You can also buy cross-cut devices for roughly the same cost as a traditional strip shredder. The resulting waste also takes up less room.

If your small business creates a significant amount of paper waste, or you need to get rid of a lot of waste before an office move, you may prefer to pay for shredding services. A specialist company can give you secure bins for all your waste, which an operator will then empty and shred for you on-site, normally in a mobile shredding services truck. Look for details online of companies offering these services in your area.

It's important to get rid of card transaction data as soon as you no longer need it. Protect your customers' data, and make sure you use a cross-cut shredder to dispose of records securely.