aspdaddy - 6:57 pm on Sep 7, 2010 (gmt 0)
If you really do care about customer protection then your processes and process control logs will satisfy an audit with zero additional cost. The most would be an annual pen test at around $2500, which you could in-source if a staff member gained certified ethical hacker.
It sounds like you may be being quoted for fully managed security.
PCI is actually relatively easy for small merchants compared to say ISO 27000-2 compliance