Yes, there is proof of this. While the article is loaded with "Scare text", the warning is real. PCI-DSS compliance is required by July 1st, 2010. PCI - DSS = Payment Card Industry Digital Security Standard.

Simply put, there are 12 areas that you need to pay close attention to, and I've pasted them below.

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

For more information on PCI-DSS, go to https://www.pcisecuritystandards.org. Also, consider downloading the PCI-DSS, its a 60-70 page PDF with all of the information that you need on the PCI-DSS. It also contains a Self-Assessment Questionnaire that you can use to review your site or app.

As I work with ecommerce sites daily, I can assure you, PCI is not something that you want to ignore. At the same time, its not terribly difficult to adhere to the rules.

As a quick reminder, any site that is found to be non-compliant at the time of a breach could face fines into the hundreds of thousands of dollars ($ USD)

I take issue with Requirement 5, why on earth would my web server need an antivirus? Other then that everything else is pretty much a no brainier. Where my real issues lie are in the certification's of PCI compliance. Companies charge a lot of money to do "scans" of your website and claim that you're required to be "scanned" for compliance. According to https://www.pcisecuritystandards.org that doesn't seem to be the case.

It could well be true, this took effect in Sweden a few years ago anyway. You probably shouldn't be getting PCI certified unless you have a fair amount of time and money to spend on the process.

If your gateway doesn't intend to supply a PCI compatible solution of their own you should probably get another implemented instead. (I have one or two customer that went through PCI certification, it's a pointless hassle and they have to get reassessed once a year)

For smaller sites the conversion rate has tended to increase slightly (in sweden, so ymmv..) when using a reputable vendor.

We have clients with different-enough needs that it's often easier to write a new, simple shopping cart for them than it would be to integrate an existing behemoth to do what they need.

Should we have every single project certified? How do you even go about that?

Have them not touch the CC#. Leave that last part of the funnel to some certified external. You'd also make them a big service. I simply abandon most carts if the CC entry stage is still on the merchant site and not on someone's big and recognized like PayPal, and I hate PayPal. I just don't trust the little, unknown, guys with CC# & details.

While your concerns are warranted - we've taken over some terrifying projects and cleaned them up in a hurry - I've never been that paranoid about it.

I didn't use to be. Then I had a problem and my bank took 2 months and almost 10 phone calls to fix it. Then I became a little paranoid.