I'm working on a business-to-business web app.
About a year ago we gave our users the ability to charge credit cards (from customers calling them over the phone) directly within our software system.
Then we found out we needed to become PCI compliant, and we were quoted anywhere from $8,000 to $20,000 to make it happen.
Can anyone comment on this experience? Have you ever become PCI compliant, and what has it cost you?
We're not storing any credit card information, our server is secure, and we use best practices. $8,000-$20,000 to look at some code and verify that we're using best security practices seems astronomically high - especially for a startup. Maybe the process of having a 3rd party audit is more complicated than I think.