[markvo]

I agree that you should be okay if you allow all the credit card info to be handled by your merchant service provider and your shopping cart never sees this information. However, I believe it is the case that cart owners will need to prove this to their merchant service provider. Based on less than rock solid definitiveness, my sense is that ultimately each cart will need to pass the software audit in addition to the self assessment questionnaire. If your volume is high enough you will also need to pass the on-site audit.

There are 2 main benefits of allowing the merchant service provider to handle the entire credit card info trail. We avoid the devastating cost of lost credit card information and, if we're lucky, we might avoid the PA-DSS compliance requirement...TBD

Mark