If your app touches CC#s it should be so good and so secure that it is PCI compliant without even trying to be. The PCI specifications read like a laundry list of common sense practices.
I kind of agree with you here. There are a lot of problems with the specifics of the PCI requirements, but they're still a shitload better than what was common practice before the PCI DSS existed.
I was peripherally involved in some of the PCI compliance efforts at my workplace (big, household name international company).. Frankly I was incredibly frightened and embarrassed at some of the incredibly dumb, sloppy ways my employer were treating customer credit cards. Now don't get me wrong, we still do a lot of dumb shit, but at least some effort is taken to secure customer CC numbers now.
