Coming from direct QSA experience, you can be liable for CC data if you are collecting, transmitting, or storing the data. Basically any touchpoint in the flow of CC data you're involved in holds you legally liable for PCI-DSS. Kind of like speeding on the freeway... doesn't really matter until you get nailed doing it, and PCI council fines are devastating. I'm glad to discount our product extensively for any bloggers here... https://www.secure128.com/trustwave-trustkeeper-pci-complian... Just drop me a line to say hello and I'll give you whatever price you feel reasonable.