On Fri, 2011-02-18 at 15:09 -0500, Michael B Allen wrote: > Are you talking about the SAQC? I run all CC transactions through one > CentOS VPS webserver (actually I have two servers that I periodically > wipe out and alternate between every year or two). So I don't have POS > terminals or any Windows PCs in the mix. We don't save any card holder > data at all. So my SAQC was a breeze. I just had to add N/A for > questions like the "do you run anti-virus software" and explain that > everything goes through the one Linux machine for which no anti-virus > software exists or is necessary. You're going to want to go to www.pcisecuritystandards.org for the full scoop. I'd advise you to have your counsel examine the PCI DSS documents. IANAL, but I recall from version 2.0 of the doc found at https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf (click-through agreement required) that, and I quote from page 7: "PCI DSS applies wherever account data is stored, processed or transmitted". So it's not about saving data per se. Just the act of having it transmitted to your systems may (again, IANAL) make PCI DSS apply. I've been dealing with PCI Compliance at work for a few years. It's not really something you want to skimp through, as the fines can be quite severe when things go wrong. As I said, you may want to talk to your lawyer... -I