Manish_Singh - 5:21 pm on Sep 8, 2010 (gmt 0)
We just finished the PCI compliance process for the company that I work for. As mentioned earlier, if you aren't accepting any CC details on your website, then you don't have to do server scans. SAQ is optional.
However if you do fall under Tier-2 or Tier-3 merchant category (based on the number of transactions, credit card data passing through your server to payment gateway for a charge), then its a totally different ball game.
When we initially dived into the project, we thought server scans and SAQ filing were all that are required. The truth is - that's really what is required (for Tier-2/3 merchants), however there are lots and lots of policy changes that need to be implemented with in the company and outside to comply with PCI. These changes definitely take time and there is a cost involved. For eg, it took us almost 4 months to be truly PCI compliant (software, hardware, network architecture, logging, audit, password policy, backups, change management policy, key management policy etc). And we had a very good in-house technical team to achieve it all. Had we relied totally on consultants or outside technical teams, the costs would have scaled up further.
What you should check with Rackspace is the details of their PCI compliance product. For all you know they may be selling you a PCI package that's required for Tier-2 or Tier-3 merchants. Usually costs involved for those merchants can easily touch 5 figure mark depending on the complexity and scale of operations.