Ive been going through PCI Compliance training for the last few weeks. Interesting stuff - kind of.
All of it is just basic "good information security" practices. Antivirus on your workstations, periodic scanning of your environment and dont transmit people's card information over the internet unencrypted. While these are just a few items looked at in an assessment, they sound pretty straight forward to me.
Talking to a QSA (Qualified Security Assessor) for PCI, there are so many merchants out there that are a literal train wreck. Kind of scarey.
The latest PCI Security Standards can be found HERE.
Depending upon how many transactions the merchant performs in a 12 month period, a QSA might not be needed. This would then require a self assessment to determine if the merchant is in compliance. I am assuming that the merchant provider would be helping their customers through all of this.
Another standard to make sure people are doing the right thing...