Jack_Hughes - 8:38 am on Aug 20, 2009 (gmt 0)

I guess the difference is that your site can be targeted and hacked to capture the credit cards if you are taking the CC number whereas if some other site is doing that then their site needs to be targeted. Hence the requirement for sites that process cards (but don't necessarily store the numbers) to be PCI DSS compliant. The good news is that if you don't store the cards you don't need to deal with a lot of the database server separation issues that you would need to handle if you did.