Do the shredding services used need to be PCI Compliant?
Thanks

If the vendor falls under the criteria of 12.8 then you need to adhere to third-party requirements.

If the vendor takes the material offsite or if you give the data to them, then you should adher to 12.8. If they shread onsite while monitored by your personnel there may be no need to address 12.8.

Either way, you want to make sure they are shredding properly.

If you are passing such a company paper that contains CHD, then yes, it must be PCI compliant as per requirement 12.8. In cases where you produce two types of paper waste to be shredded - paper with CHD and paper without CHD - I would recommend using an internal shredder for the CHD (assuming it is lower volume than the other data), and an external service for the other data.

Edit: Pipped at the post by Mike!

Do the shredding services used need to be PCI Compliant?
Thanks
We have discussed this with our QSA and agreed that these type of services are not of the 'classic' PCI Service Provider type. We agreed to address these by formal Letter of Assurance from the supplier including reference to formal certification appropriate to their industry - in the UK this would include British Standards. In this case BS8470 for Shredding Services and BS7858 for Employee Checks would apply. We also need to review the business handover processes.

Other similar areas are Visitor Management, Hardware/Media disposals and Document Archiving.