claimed security upgrade.

Do you mean a failed PCI compliance scan? Most processors will require this, but it's not the processors that are the driving force, it's the parent CC companies that require it of them. You're probably best to resolve the compliance issues if this is the case, or just use payPal.

PayPal Website Payments Pro has worked well for us over the past 4 years.

They have two APIs to choose from: The classic SOAP/NVP interface, or the Payflow Pro interface. The latter also allows you to accept credit cards on eBay, if you ever decide to try eBay selling.

I've seen short, common-sense lists of PCI guidelines in the past, but in the last week two of my clients with two different merchant banks have been sent questionnaires that are ominously long and bureaucratic. For example, one of the requirements is that "Configuration standards have been developed for all system components." That's so vague that I don't think it serves any purpose but a CYA for the credit card companies.

These clients have 1-2 employees and process 1-2 transactions a day, and I think they would sooner change their business models than pay the IT overhead to comply with these new requirements. We do save credit card info to process recurring billing; am I correct in assuming that most of these requirements would be moot if we didn't do that?

Also, would switching to PayPal Website Payments Pro really avoid this? Most of my projects use custom code that connects to the Authorize.net API. I could easily switch this to use the PayPal API, but that wouldn't make my own websites more secure. I'm thinking that I would need to replace my rebilling code with the rebilling functionality that Authorize.net and PayPal offers -- so that the credit card storage is on their servers -- to reduce the requirements that my clients are responsible for.

Actually you should not store cc numbers on your server since your are using an external gateway to process orders. What's the point other than attracting trouble?

The point is to process renewal payments for a subscription-based service without forcing users to log in and re-enter their payment info every month.

Authorize.net and PayPal both offer rebilling functionality, but I haven't used it in the past because my own code gives me a lot more flexibility and control over the behavior of processing failures, the appearance of email confirmations, etc.

I believe the various features you describe are supported by the payment processors through their API which should be documented. Search for Recurring Billing

The only case you would need to keep the credit card on your server would be if you are doing the cc processing with the bank directly.

Yes, that's what I said. I haven't used this feature in the past because I have more flexibility doing it with my own code. The processors charge extra for that service, and I'll have to charge my clients to rework these parts of their sites, but that might be less expensive than complying with all of these new documentation requirements. Can you answer my original question, which is: am I correct in assuming that these new requirements will be moot if we stop storing payment info?

I think so, because there are lots of extra steps in the PCI spec if you decide to store cc info. And it's the problem of the liability that may terminate a small business because of the fines if something goes wrong. That doesn't mean I agree with the PCI methodology btw.

Thanks. We'll see what response we get from the questionnaires and go from there.

am I correct in assuming that these new requirements will be moot if we stop storing payment info?

Yes and no. It will move you into a different level of compliance but will still have to pass PCI compliance scans; wife's site has been PCI compliant for at least 5 years and we have never stored any CC info.