Identifying the Vulnerabilities

It is important to understand that credit card data is usually stolen at 2 locations: one could be the physical merchant and the second could be the online store. While there are obviously only so many recommendations you can give to the physical merchant to practice best practices for processing credit cards, compliance with PCI standards ensures that there is no vulnerabilities in the online system. The job of the QSA is to assess how "secure" the online merchant is.

Unlike Verisign or Truste that secure the actual transmission, the QSA audits the entire online business process to assess potential weaknesses in the system and recommends how to strengthen them.

Encryption algorithms that run with transmissions are so strong that it is useless to hack any transmission so any breach will probably occur before you actually submit the data. Once a merchant is PCI compliant, he has to perform quarterly vulnerability scans on his internal and external networks. So if someone is already compliant and hasn't run the necessary scans within a certain duration of time, can be fined a hefty fee.

It is important to remember that this exercise makes more sense for online businesses that have high volume traffic. For low volume websites, outsourcing the payment gateway makes more sense.