lammert - 11:50 pm on Jan 20, 2011 (gmt 0)
Port 20 is standard FTP. Unless you use a piece of FTP server and client software which encrypts the whole control and data stream, port 20 is unsafe by design.
Port 443 is encrypted HTTP traffic, while port 80 is unencrypted. If your website needs a PCI audit, chances are that you aren't serving any information over port 80.
Reassigning port 22 to another number won't work. Port scanners (and a PCI audit) will find it anyway. It is the concept of security through obscurity, which won't stop any of the hardcore hackers. Adding firewall rules to block access to port 22 for all IPs except your own is much better, because even if hackers manage to get your password or certificate you use to authenticate yourself, they won't be able to enter the system from a remote location.
As an alternative for a firewall setup, you can use the /etc/hosts.allow and /etc/hosts.deny files on a Linux host as a cheap and easy way to allow only SSH access from predefined IPs.