[qeorge]

Securing your network / software is perhaps non-obvious, and doesn't always make the lists.

Example: you're not keeping the server up to date, and someone injects Javascript into your payment page. You could be liable.

As I understand it (admittedly not well), PCI is kind of like HIPPA/OSHA, in that there's some explicit no-no's (e.g. not using SSL, leaving patient info lying around, or not wearing hardhats) but the more important point is about maintaining a "culture of compliance".