I've been through three audits with Trustwave over the last few years and 15-20K sounds about right.

By now most compliance issues are covered in our product but there are always new ones every year or so. From what I can tell the card associations are pushing to never have cardholder information stored at the merchant site by using a link, a transaction ID, to the payment processor who will have the cardholder information stored there, or farther downstream. For a small shop some of the audit requirements are out of touch with reality, code reviews, change logs, software development life cycle policies that have to be documented, etc. With Trustwave expect an audit to take 3 months and pray you get someone who speaks English and knows what the difference between a desktop or web based app.