That's not true. If CC data is passing through his system, their are things he needs to be aware of. You'd be surprised at the logs that are generated by people who don't store credit card information. Somehow, that unstored CC information winds up in a random logs directory, unencrypted and open for anyone to see.

I'm no expert, but I don't think this is true. I've witnessed a few payment systems being implemented, and just having this data pass through your system you need to adhere to some compliance rules (which are softer vs. actually storing the data though).

Correct. We are doing a PCI compliance certification right now, for a service that does the same CC flow as this. We don't store, but just forward. But even that requires a PCI certification.

Coming from direct QSA experience, you can be liable for CC data if you are collecting, transmitting, or storing the data. Basically any touchpoint in the flow of CC data you're involved in holds you legally liable for PCI-DSS. Kind of like speeding on the freeway... doesn't really matter until you get nailed doing it, and PCI council fines are devastating. I'm glad to discount our product extensively for any bloggers here... https://www.secure128.com/trustwave-trustkeeper-pci-complian... Just drop me a line to say hello and I'll give you whatever price you feel reasonable.

True, but "storing" is very broadly defined. "Storing" CC data in logs or temporary folders is enough to fall under the purview of the PCI rules.