[0wned]

Speaking as someone who deals with this on a daily basis, I say not true. PCI is common sense written down into an "industry standard". You don't have to do it, it's not a law. But if you want to continue to accept CCs, then you should comply. Compliance is as easy as redirecting all of your CC work to a processor that is PCI compliant. So long as you yourself do not store, transmit or process the card data, you can worry about your business and forget about PCI and it won't cost any more money.

[anamax]

> But if you want to continue to accept CCs, then you should comply. Compliance is as easy as redirecting all of your CC work to a processor that is PCI compliant. So long as you yourself do not store, transmit or process the card data, you can worry about your business and forget about PCI and it won't cost any more money.

Hmm. Is it that the PCI doesn't cost the processor anything or that the processor eats the costs?

[0wned]

If the processors are responsible, then they were doing it right before the acronym PCI ever existed. To become compliant costs money (audits, quarterly scans, self-assessments, etc.) but it's not that expensive and it's what they are in business to do. If the processor is not compliant, no one will do business with them ("Hey, look, we store your clients' CC numbers in an unencrypted DB... come do business with us!"). The cost, you as a merchant pays, is based on risk and volume. Online (non person to person) transactions are the most risky, so percentage-wise they'll always cost more... PCI or no PCI.