We handle about 10 card payments a day
Customers email or fax us authorisation to charge their card, we dont take payments via any sort of web gateway
Payments are charged via a dial-up phone terminal
Hardcopy receipts and a copy of the customer authorisation are stored in paper file for 12 months


Does PCI DSS apply to us ?
Obviously we have taken steps to sevure our network regardless, firewalls, WEP, SSL for our VPN traffic etc.
I cannot get a straight answer from our bank or from Visa

Any help appreciated

Yes, PCI DSS applies to you.

However, the process by which you validate your compliance varies depending upon the volume of transactions you process/accept.

From the sound of it, you are Level 4, and thus you may choose to submit a Self Assessment Questionnaire.

I'd suggest you make sure the paper card records are stored securely (i.e. limited access with audit trail, no copying capability etc, buy a shredder), and you review if your business processes need to retain the paper transaction record for 12 months, or can it be destroyed sooner than that.

I'd also recommend a quarterly vulnerability scan if you have any web presence or internet connection.

Thanks for the reply.

My understanding was that PCI DSS applies to merchants handling card holder data electronicaly.

How does this affect us if our total operation is paper based ? I understand the need to secure the paper records, whcih we do, but why the need for anything else ?

Whcih phrase is true:

PCI DSS applies to merchants

or

PCI DSS applies to merchants who handle cardhoilder data electronicaly

Thanks in advance

PCI-DSS applies to any merchant that "Stores, Processes, or Transmits" payment card data. If you have paper receipts with card numbers, exp dates, imprints from a "knuckle buster", etc. you are in fact "storing" cardholder data. Like lyalc says, you should take care with your receipts and keep them safe (in a safe that is).

Also, come up with a data storage plan, talk to your CPA and attorney and decide how long you really need to keep the receipts (normally only 18 months or so) When you don’t need ‘em anymore, dump them in a cross-cut shredder.

A small, pedantic update
PCI-DSS applies to any merchant "or service provider" that "Stores, Processes, or Transmits" payment card data.

In the context of the original post, Section 9 of PCI 1.1 includes direct requirements for physical media protection and handling, including paper records (9.6 - 9.10).

Lyalc