Forms and images containing cardholder data are subject to the PCI DSS. PCI DSS requirement 3.4 requires that all cardholder data be rendered unreadable. It does not differentiate between how the data is stored or managed. That being said, to comply with PCI DSS, the image and/or paper form will need to be stored in a compliant manner which would include rendering it unreadable (or protecting that data with appropriate compensating controls). In addition, PCI DSS requirement 3.2 prohibits storage of sensitive authentication data (magnetic stripe, card validation codes and values (CID, CAV2, CVC2, CVV2), and PIN block data) after authorization. If the entity collects any sensitive authentication data, they must remove or obfuscate such data before they image it, thereby not storing prohibited data before (and after) the image is scanned.