Since no one from Australia has replied, I can speak to PCI compliance from a US viewpoint. Your questions are good ones and real answers are not all that easy to find. As an example, the PCI DSS Quick Reference Guide has 40 pages of small print! In my opinion that doesn't qualify as quick.

Your number of transactions, the shopping cart technology, and Banking arrangement are all involved in determining what you will have to do. But your real driver for what you will need is determined by the requirements of your merchant account.

Once you know what your banking requirements are, a quick search should give you a number of options. Prices for smaller merchants here range from approximately $30 to over $100 a month depending largely on the number of scans and the level of services offered.

A really big part of what you will need to do is based on whether you store any financial data on your server. You will find it much easier to comply if you pass off the transaction to your payment gateway and not store any card data (even for an instant). There are a number of gateway options that make this hand off invisible to your shopper. You may find this method will meet your control needs.

About future change, the compliance guidelines have changed over time but nothing to cause big increases in the price of compliance services - YET.

Compliance requires an approved vendor to certify the scans. Depending upon the level of support your vendor provides, you will likely be able to manage your own program.

Good luck with your new venture.

wslade