The article talks a lot of scare, but if you visit the supplied link to Visa about what you need to do it gets a lot less scary. That makes sense as otherwise huge portions of merchants would be set to lose the ability to take cards and CC companies / gateways would lose buckets of cash.
Level 3 merchants (up to a million transactions a year) need to complete a self-assessed questionnaire annually, fill out a form and have an automated external test run. All are very minor hurdles and if you're running that many transactions should be an extraordinarily small amount of expense as a percentage of revenue. If you're doing 20,000 transactions there is even less to do.
Given that the solution suggested by the article is to use a gateway (with a payment page, instead of forwarding CC numbers yourself), the gateways stand to make more cash, especially since some charge more for storage (which you'll need for recurring payments).
Having said that, merchants at the level 2-3 size often won't have renegotiated rates agreed with their acquirer back when the merchant was smaller - doing so can soften the impact of outsourcing capture/storage considerably (perhaps even pay for it completely).
Agree that merchants should read PCI-DSS, but smaller shops may not have the expertise/time to realise/handle the implications (do you record telephone calls from customers, for instance?). For any size of merchant, to be able to say "we're unlikely to be breached as we don't store card numbers" is a good thing indeed.
http://usa.visa.com/merchants/risk_management/cisp_merchants...
Level 3 merchants (up to a million transactions a year) need to complete a self-assessed questionnaire annually, fill out a form and have an automated external test run. All are very minor hurdles and if you're running that many transactions should be an extraordinarily small amount of expense as a percentage of revenue. If you're doing 20,000 transactions there is even less to do.
tl;dr FUD