jwolthuis - 7:50 pm on Aug 20, 2010 (gmt 0)

The card data is not on the server. We send it all through the gateway. That is MY POINT. We does someone like me even need to be PCI Compliant.

PCI Compliance isn't just focused on *storing* card data, but *handling* the data as well. I assume that if you're storing 4 digits, at one point you had a web page that asked for all sixteen digits. PCI Compliance is concerned with that too.

But as a Tier 4 merchant, annual SAQ's are totally optional, and your costs should be two-figures a month (at most), not $10k.

Don't necessarily offload credit card processing to a 3rd party, as someone suggested above. While it's true that you're not in the business of "processing payments", you are in the business of "order management", and a seemless Shop/ Checkout/ OrderStatus/ Reorder experience for the customer reflects a professional website, much more than a boomerang payment system that bounces a shopper to a different url for payment details. Especially for foreign shoppers, who might not recognize the url of a payment processor.