Much has been and will be written about this program. Like a lot of other aspects of the payments industry, there seems to be an endless supply of confusion on this topic. To be fair, it is a somewhat complicated topic. There are so many layers in the eco-system that can touch and/or store cardholder information and there are multitudes of ways that merchants implement their payment systems. During a recent discussion with a merchant client of ours and one of the qualified assessors, the assessor acknowledged that the program was designed for the common mainstream models, both ecommerce and retail, and that this particular merchant's situation did not easily fit. Nonetheless, this merchant, who could also be characterized as a quasi-service provider was faced with a complicated dilemma.
While a lot of progress has been made on key aspects of PCI such as the consolidation of requirements across payment brands, there is no end in sight for a simple PCI for Dummies tomb that will answer all the questions.
Another relevent point for ecommerce merchants to consider is the +/- of allowing your gateway to handle PCI for you through what is called Tokenization and/or a fully hosted order page. In both cases, while the appeal of avoiding PCI is tempting, it is important to make sure that your contract gives you the ability to get your data back if you end up deciding to switch vendors or take the process back in-house. Otherwise, those of you with 1-Click shopping or subscription payments will place your business at serious risk.
p.s. Having been involved in both retail and ecommerce payment infrastructure for close to 30 years, it never ceased to amaze me how much focus was placed on the fear of compromises coming from the Internet channel and little to no concern or governance was focused on retail until pretty recently. At least in the Internet, with the standardization around SSL, the one part of the threat around transport security was pretty well covered. Things really started getting crazy when retail terminals started being switched from communicating over private lines (dial or leased) to using the Internet for transport and neither the terminals or the applications running in them were architected from a security perspective.