Well alright. There are some exceptions.

Let's say you are a level 4 merchant and you're running your business and make an SAQ (Self Assessment Questionnaire). It's business as usual until you have a breach. The bank will elevate you to L1, which will cost a lot more to secure. PCI auditors charge in the range of $2000 a day. Add to that cost, the cost of IP Scanning. A PCI Approved Scanning Vendor charges approximately $500 to scan one IP address. So once there is a breach, and you didn't have a PCI align your processes with the standards, you are in for a lot of trouble. The way to avoid this entire massive headache is to outsource the payment option for your business altogether.

While you can just as easily select an online payment gateway to process your transactions so you don't end up dealing with any cardholder data, the problem with this option is the commission per transaction. And because the vendor will charge you a high commission, this option becomes non-profitable for high profile merchants.

Timelines and Best Practices

In the US, VISA enforced the deadlines: