One, do we have to do any PCI compliance testing? I researched this in early 2009 and wrote that as a level 3, 20K-1M online transactions vendor, none stored, there was a level of testing required. I don't list my source for this info but I wrote it up here. I wonder if its still true: PCI Compliance for Level 3 Vendor.
I researched in the beginning of 2009 that I needed to get PCI compliance testing done. But, I never have.
As a side story, after I decided that we did need some PCI compliance testing, I tasked my team to take care of it and that spoke to one vendor who talked us into a whole comarketing thing in which they guaranteed our site and put their bug all over it guaranteeing that it would improve our conversion rate. It didn't improve the rate at all. They made some changes. No improvement. We insisted on getting our money back. Eventually we did but only after a huge investment of time and energy. We were so turned off by the experience that we haven't looked at PCI compliance since then.