[robfig]

PCI Compliance is about protecting consumers from third parties, not from the merchant.

As part of Compliance, the merchant attests that he never handles the cardholder information, and that closes off huge portions of it.