There are three key areas for PCI DSS - storage, processing, and transmittal.
I don't recommend you store any card data. Period. There are many ways to get around this. If your virtual terminal won't let you do a refund without CVV, you need a new terminal or to change your controls.
THE SERVER
Among the largest processors, First Data is requiring EVERY merchant to pass a PCI Compliance SAQ. If you have an ecommerce site, your site/server will be scanned as part of that process. Tons of merchants process through what's called an "ISO" of First Data. That means a whole bunch of you either already have, or will have to pass that test this year via the third party company they hired, Security Metrics.
You're supposed to do this on your own regardless of your processor, but too many people (50%) didn't so now it's mandatory with at least that processor.
PAYMENT PROCESSING
You need an SSL certificate on any system, and everyone has that part down. But the rest of it is where the problems come into play. There are really no short cuts.
You either have a shopping cart that is certified compliant or not.
Chase Paymentech and others have a stringent cart certification process that most developers have not completed yet.
The hosted payment page is a viable alternative to all the issues and cart certification. I'm not familiar with x-payment. Magento users have a solution through CRE Secure. X-cart users can also use the solution. While X-cart is not a ready made module at this time, you can still use the
custom integration. When you add up the cost of scanning and everything else, I'm betting this is a cost effective and quick solution.
check out this page for how it works
http://www.cresecure.com/pages.php?pID=7&CDpath=0
(I'm the "payment network" in the diagram; I have no vested interest in CRE other than it makes clients compliant.)
I hope this helps those with immediate needs.