The part that makes compliance tough is the moving target. Come July, there are a whole new batch of standards that merchants need to follow or risk huge fines. Not only that, they could possibly lose their ability to process credit cards. I doubt that, though, or someone like TJX would have lost their card processing abilities.
Personally, I'm in the middle of buying application firewalls. That sure beats pushing everything through a third party code audit if you ask me, but either is very pricey.
So, do any of you reading this have any opinions on app firewalls? Good brands? Bad? Features? Reliability?