I take issue with Requirement 5, why on earth would my web server need an antivirus? Other then that everything else is pretty much a no brainier. Where my real issues lie are in the certification's of PCI compliance. Companies charge a lot of money to do "scans" of your website and claim that you're required to be "scanned" for compliance. According to https://www.pcisecuritystandards.org that doesn't seem to be the case.