Read the PCI DSS Standard
If you want to access the detailed standard, please visit the PCI Standard Security Council site at https://www.pcisecuritystandards.org/
The PCI DSS standard applies to all entities that store, process or transmit cardholder data. It is also very little understood that the standard does equally apply to manual processing and storage of cardholder information as well as to electronic methods of storage.
You may be storing cardholder information (e.g. card receipt from terminals, emails received which have cardholder details in them) in a way the standard does not allow.
As PCI DSS compliance applies to a merchant's overall environment, any third parties used by the merchant that would store, process or transmit cardholder data, electronically or manually, should be taken into account. A merchant can only reach compliance if its affected third parties are also compliant.
It is recommended that businesses undertake an initial evaluation of the anticipated impacts of PCI DSS on them and their third parties and this may be helped by mapping an end-to-end data flow.