[markvo]

I have gotten mixed messages from the credit card industry about how your cart will be treated if it "neither stores nor collects credit card information". My sense is that different merchant service providers are trying to figure this out too.

The answer I've been given that made the most sense to me is based on the intent of the whole PCI/PA-DSS compliance thrust. The idea is to identify holes in the credit card processing system where ill intentioned people can gain access to someone else's credit card information and then close the holes. The self-assessment questionnaire is most effective as a way to make site owners aware of the issues. It doesn't provide any real protection. The way a merchant service provider will know whether the the merchant's site doesn't store credit cards is by audit (admittedly the current process is still pretty leaky.) I believe most merchant service providers will require the software audit now (or in the near future) as the industry internalizes PCI-DSS compliance.

The only loophole I could imagine post-July 2010 is that if your site passes PCI-DSS compliance and the audit validates you never see or store credit card information you might be able to avoid the PA-DSS compliance. We'll see what tomorrow brings.