I'm looking for some help on this. I spoke with two people from who I think is our acquirer and one told me we do not need to submit any paperwork for PCI compliance and the other told me as long as our terminal truncates account numbers on printing receipts we are compliant.

So my question is how do I protect our business when our acquirer appears to be clueless. I assume I should fill out the paperwork for the SAQ and submit it to our account rep even though he says we don't have to, but how do I confirm he got it and didn't throw it in the trash.

Merlin66676, there are many complexities to PCI DSS compliance. I say this because the way in which you are required to protect payment card data may vary depending on the way you accept payment transactions.

For example, if you only have a hardware based point of sale (POS) that does not retain payment card data and only uses a dial-out phone line to your payment processsor then you may have very few things to do. Checking for truncated cardholder data would be a good move.

If on the other hand you have a computer terminal or integrated POS (IPOS) that connects to a computer network or out to the Internet then you may have many more things to secure to achieve PCI compliance. The same goes for if you accept payments online.

Perhaps if you could provide more information about your business then we could better assist.

While your account rep may tell you you do not have to comply with the PCI DSS, if you process, store or transmit cardhodler data (CHD) you are required to comply per your merchant agreement.

That said, I would first go to the PCI SSC Web site (https://www.pcisecuritystandards.org/saq/index.shtml) and review the SAQ section since you appear to be a small merchant (level 2 through 4). There are four SAQ's - A, B, C and D. SAQ A is for merchants that conduct only e-Commerce and have outsourced that to a third party. SAQ B is for merchants that use terminals like VeriFone and Nurit or the old 'knuckle buster' embossers. SAQ C is for merchants that have integrated point of sale (POS) BUT do not connect back to any corporate network, only to the Internet. And finally, there is SAQ D for any level 2 through 4 merchant that does not fit in any of the other three categories. I have oversimplified the requirements for each SAQ, so please read the front of each SAQ to make sure that you comply with each of the filing requirements to determine which SAQ to use.

Once you have found which SAQ to file, you will then know the scope of your compliance effort.