FormsYes, forms and images containing cardholder data are subject to the PCI DSS. PCI DSS Requirement 3 requires that all cardholder data be rendered unreadable. It does not differentiate between how the data is stored or managed. PCI DSS requires that the image and/or paper form must be rendered unreadable (or protected with appropriate compensating controls). In addition, PCI DSS Requirement 3 prohibits the storage of sensitive authentication data after authorization. If the entity collects any sensitive authentication data, they must remove or obfuscate such data before they image it, not storing scanned images with prohibited data. Note: The specific sub requirement 3.4 requires that all cardholder data be rendered unreadable. It does not differentiate between how the data is stored or managed. Thatnumber(s) and terminology may vary depending on the version of the standard being said,used. Refer to comply with PCI DSS, the image and/or paper form will need to be storedthe definition of "sensitive authentication data" in a compliant manner which would include rendering it unreadable (or protecting that data with appropriate compensating controls). In addition, PCI DSS requirement 3.2 prohibits storage of sensitive authentication data (magnetic stripe, card validation codes and values (CID, CAV2, CVC2, CVV2), and PIN block data) after authorization. If the entity collects any sensitive authentication data, they must remove or obfuscate such data before they image it, thereby not storing prohibited data before (and after) the image is scanned.the applicable glossary for the version of the standard being used.
