I am a small business owner in the throws of pci compliance. There is one thing I don't understand. The only media that my business keeps is the credit card receipt that contains the last for digits of the charge card number and the owners signiture. What can the "bad guys" do with these receipts if they steal them from me?
A very fustrated business owner.

I'm assuming that you use a VeriFone or similar terminal to conduct credit card transactions. If that's the case, your receipt is fine, but you need to look at your end of day (EOD) report from the terminal. 9 times out of 10, I find that the terminal has not been configured properly and the card numbers are not masked on the EOD report. Typically, this is an easy configuration chance, but I have run across terminals that require a software upgrade and reconfiguration before they can be made compliant.

If you are using a PC with point of sale (POS) software, then you compliance may be more tricky depending on whether or not your software is PABP/PA-DSS compliant and if you implemented the software properly.

Thanks for the quick response. Since I am new at this my terminology leaves a lot to be desired. The card swipe machine we use is connected through a phone line. We do not use a PC. The end of the day report contains only the total days sales and not the card numbers. I checked with the card reader provider and was told that the machine was "PCI compliant" and that card numbers were not stored in the card reader. So, is it safe to assume that even if someone stole the credit card receipts that contain only the last for digits of the card number and owner’s signature that the cardholder’s identity is not compromised?

The PCI DSS does not considered credit card numbers (aka primary account number or PAN) that are masked or truncated to the last four digits of the PAN as cardholder data. So, you are PCI compliant on this count. (Actually, the PCI DSS allows the PAN to be truncated to the first six and the last four digits.)

FYI There are some terminals that are consider PCI compliant, but still need to be configured properly in order to be truly compliant.

This is good news for us great unwashed.
I would like to use this fact when answering questions on the self-assessment questionnaire.

As an example one of the questions states:
“Is strict control maintained over the storage and accessibility of media that contains cardholder data?(SAQ #9.9) with the help section stating “Strict control" includes secure storage of all retained media that contains cardholder data, but it also means that an inventory of the media needs to be done. The inventory must be redone periodically, and it must be detailed enough that any missing media will be noticed.”

I plan to answer this as Not Applicable” with an explanation in the comments section – “The PCI DSS does not considered credit card numbers that are masked or truncated to the last four digits of the PAN as cardholder data.”

If I can make this statement for most of the questions it will make my life a lot easier.

Regarding your other comment about the terminal. Point well taken. Since I have asked and was told the terminal is PCI compliant should I ask for something in writing from them? I’m not smart enough to make this determination on my own.

I plan to answer this as Not Applicable” with an explanation in the comments section – “The PCI DSS does not considered credit card numbers that are masked or truncated to the last four digits of the PAN as cardholder data.”

If I can make this statement for most of the questions it will make my life a lot easier.

I would just simply state that you do not store cardholder data and therefore this requirement is not applicable. Too much detail can sometimes create more questions. If asked to explain further, I would then state that you only store truncated PANs.

Regarding your other comment about the terminal. Point well taken. Since I have asked and was told the terminal is PCI compliant should I ask for something in writing from them? I’m not smart enough to make this determination on my own.

You stated that you ran an EOD report and it did not print out PANs. However, it should have printed out truncated PANs, usually the last four digits, but sometimes it's the first six and last four digits. I would run all the reports out the terminal that are possible just to have a record that there is not one report that prints out full PANs. Most terminals are fairly simple to operate, but you should also have an Owners Manual or Users Guide that can walk you through the steps of generating reports. It should also explain the steps to ensure the terminal is PCI compliant.

I would have never thought to check the terminal for other reports. I will do it tomorrow. Thanks for the heads-up
Rich

... should I ask for something in writing from them? I’m not smart enough to make this determination on my own.

If I were you, I definitely would get this in writing from Verifone or wherever you got your POS from stating that the model that you have is PCI compliant. Most definitely!!!

Let's be real. Verifone and other manufacturers are not going to write letters to individuals telling them their unit is PCI Compliant. What if as jbhall56 the terminal is programmed correctly?
You can look up the datasheet on any product and print it out. They always have a reference to PCI Compliance. What's compliant today, may not be next year. You need to check with your processor, as the processor has a list of what they consider to be compliant connecting to their specific network.

I appreciate the information you have laid out here.Thanks for forwarding this useful information.It was wonderful of you.Good luck!that's good to know!Thanks.....