We do have PCI audit regularly. Outside firm comes in and checks over everything. Then make recommendations of where to change.

Latest thing is new POS devices with better credit card swipers.

>Yeah the list goes on forever. I worked somewhere a while back that had a web developer that was oblivious to these rules - stored everything in a mySQL database unencrypted (including the 3 digit security number). Then one day he called me wondering why all the credit cards numbers in the database were now all the same number. Making long story short - the website and mySQL database had been hacked. Was a huge mess - had to contact all the customers & tell them what happened, setup a 1800 number for people to call in if they were concerned..etc etc etc. Needless to say the "web developer" was fired. Turns out it was the nephew of the owner - a 17 year old kid & this was his first project. I was the one tasked with redesigning the backend database so that it met all of the rules and requirements - so I learned first-hand just how many of these rules and such exist - there are a LOT.