It looks like there's a lot of confusion here...
- if you don't ever touch, see, transmit or store the CC data, the PCI DSS requirement are very low: you just fill out a self-assessment questionnaire and attestation of compliance (SAQ A), and you're done.
E.g. if at the end of your checkout process you send the customer to a (secure) page hosted by your payment gateway provider, and the CC data is entered on that page and sent only to the payment gateway provider, then you don't have to do a thing. That's the case with solutions like Paypal (the "standard" solution at least), many gateways provided by banks in Europe, and probably quite a few solutions in the US as well (sorry, not familiar with who provides what there).
- if any part of the CC data ever touches your server(s) (even if you only send the data right away to the gateway and never store it), then you need slightly more extensive PCI DSS compliance checks. There are various levels (1-4) depending on what exactly you do, how many transactions you handle, etc. The lowest level (4), which applies to people handling under 20 000 e-commerce transactions a year, basically requires you to complete a self-assessment questionnaire (SAQ C or D depending on whether you store the data or not) and have a quarterly scan performed checking for vulnerabilities. There are many vendors providing this service:
We are talking a few hundred $ a year, not more.
- full assessments by a third party (in PCI DSS lingo, Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)) are only required for very large merchants (over 6 million transactions a year), payment service providers, etc. Those are the assessments that cost $$$$, though the expensive part (the On-Site PCI Data Security Assessment) is annual, so I'm not quire sure how you got a quote for several K$ per month. What was it supposed to include exactly?
Some helpful links:
- what PCI DSS level do you need:
- if level 4, what SAQ should you use:
Hope this helps,