Well, I have to admit, I am certainly not a 6,000,000 transaction per year merchant, which is when I would need a level 1 audit that you and your friend so gleefully salivate over. I wish I was! If I was, I think it very reasonable to audit your processes to insure security.
In fact, I am a level 4 merchant, to my shame, so I have not spent money having an expensive "Certified QSA Security Consultant" audit my systems. I would remind everybody, that, sadly, they are probably level 4 merchants as well, unless they do over 20K transactions a year. Even if you do more than 20K,you're not in the scary big leagues till you get to 6M transactions.
Finally, I'd like to note that we hear a lot about these "possible fines", in theory, but have you heard of any in real life? I assume they must exist, but I invite you to read about the Heartland data breach, which exposed over 130 million credit card numbers. You'll note they still haven't been fined, but they "may be fined over $150K".
One thing at the time here. Lennart, my buddy does indeed do well over 6M transactions per year, so a level 1 audit is his lot. Technically his company (vxsbill.com) is an IPSP, not a merchant. But because he has the requirement anyway all the merchants that he works with and for benefit from the secure facility that he offers.
If you are a level 4 merchant, so less than 20K transactions per year (which sounds like a lot but really is only about 55 transactions per day, which I've already crossed over all by myself) then you could theoretically roll your own, but you are setting yourself up for a big fall if there ever would be a breach of security involving your site. And you'll still be paying access fees to a gateway, or have you found a way around that?
As for your 'theoretical fines', the two biggest instances that I remember wrecked the companies involved, the first one involved a company called Dacotah Marketing and Research, one of the largest internet billing companies during the .com boom, the second involved iBill.com, which you could probably qualify as their successor.
Both of these companies offered 'third party billing', which is one thing you are at least staying away from.
But if VISA doesn't care about blowing 10K+ merchants to kingdom come by fining an IPSP that does not abide by their rules out of existence, you certainly are not going to be felt any more than a gnat would be felt if a car ran over it.
They really don't care about individual merchants at VISA or MC, and to work with a large to mid sized IPSP will have a significant advantage in that effectively you are bundling your negotiation powers against the card issuers.
This will help during acceptance, charge back issues, merchant account revocation for some imaginary sleight and so on (you did check if you have permission to run those logos, did you get it in writing?).
Last but not least, working through an IPSP rather than 'rolling your own', no matter how satisfying is that you get the benefit of a large pool of knowledge on scrubbing and pre-authorization checks to make sure that your customer is legit. But of course you've never had a fraudulent charge.
I don't know much about the Heartland data breach, other than what I read in the media so I'll decline to comment on that.
Let me close this bit with that 100 days ago you didn't know about PCI at all (http://news.ycombinator.com/item?id=1092224) and now you are the expert in the field and will tell people that they should just roll their own because you slapped something together and it worked - so far.
Me, I'll be leaning on a decade+ of experience and a couple of very dedicated employees to make sure that my money keeps rolling in, and that my customers data does not get compromised. There is only so much time.
I also don't make my own computer chips, circuit boards, and so on. I've found it to be un-economical to do so and the same logic is what stops me from rolling my own billing solution.
Incidentally, I'm the original author of 'webpay', the software that powered the first major IPSP, so it's not as though I wouldn't have an idea where to start, but some things require a whole lot more dedication than I'm willing to spend on it to do it right.
edit: afterthought, you may be talking cross purposes when you compare the $150K that Hearland might be fined to the most common kind of fine, the chargeback penalty. If you haven't had a chargeback yet then I urge you to read up on this and why scrubbing is so important, especially if your volume is low a single group of unfortunately timed chargebacks can kill your merchant account, depending on your contract the permissable percentages can be as low as 0.7% of the volume in the running month, the latter is a real problem is there is a temporary change in volume on your website. I'll leave it up to you to figure out why that is a problem.
In fact, I am a level 4 merchant, to my shame, so I have not spent money having an expensive "Certified QSA Security Consultant" audit my systems. I would remind everybody, that, sadly, they are probably level 4 merchants as well, unless they do over 20K transactions a year. Even if you do more than 20K,you're not in the scary big leagues till you get to 6M transactions.
Finally, I'd like to note that we hear a lot about these "possible fines", in theory, but have you heard of any in real life? I assume they must exist, but I invite you to read about the Heartland data breach, which exposed over 130 million credit card numbers. You'll note they still haven't been fined, but they "may be fined over $150K".