>>Merchants who take Visa are classified as level 1, 2, 3, or 4. Level 1 merchants are the Wal-Marts and Targets of the world, with very large transaction volumes. The PCI requirements for them are stringent. Level 4 merchants are so-called "mom and pops." The requirements are much less stringent. What most of them do is sign up with a credit card processor. The processor charges relatively small fees and they are the ones who have to comply with PCI, not the merchant.
>>
>>UPDATE: Sounds like X-Charge is your processor. You have no worries. As you say, if you don't store credit card data there is no way you can let it get into the wrong hands.
>>
>From what I understand, there is little classification anymore between the levels, and it doesn't matter who you are, you have to be compliant. We have POS in our system, but we also store CC#'s to do monthly billing, which includes recurring and incidental fees (for health clubs). the monthly stuff is probably what would get us, but if we can do some kind of tokenization of the CC info with our processor, that may let us of the hook.
>
>I am trying to find a site that can tell me more about this stuff. Trustwave and 403 Labs so far just tell us we absolutely need it, but I am not convinced yet. As Ken stated earlier (and you re-iterated) I need to look more into going the X-Charge route. Currently we are using Mercury Payment for our CC processor.

I had not heard that about there being little classification any more. It's only been 18 months since I was in that industry but things do change all the time due to the increased focus on privacy.