It looks like Brian Ghidinelli has also been struggling with the practicalities of creating a PCI compliant hosting environment and he's also looking for a vendor to take care of things. With Braintree focused on only larger vendors now, I'm still looking for a solution.

Once commenter on Brians blog seemed to think just by using Authorize.net's CIM product to hold the cc data he didn't have to deal with PCI. Unfortunately it isn't true. If the cardholder data touches your server for even a fraction of a second (i.e. if the form submits to your server), your server is in scope and you're in a world of pain unless you already have the kind of hosting and security setup that we'd all love but that many smaller websites are simply unable to justify.

Has ANYONE found a real solution for this for the companies that would like to do more than just pass the whole branding of the checkout onto Google checkout or Paypal or the simple auth.net processing method where you use their checkout form?

If you "store, process or transmit" credit card information, you need to get PCI compliant. In practice the requirements are way beyond most smaller merchants. I'm considering developing a new service - this post outlines the risks you have as a developer, the proposed solution and is a way of getting feedback on interest/pricing. Please comment below if you might be interested in this, and if you know any other web devs, please ask them to comment as well . . .

[More]

How do you implement your "remember me"/"forgotten password" functionality? Here's what we're doing right now . . .

[More]

I just wanted to throw out an approach I’m using for roles based security for OO applications to see if anyone had any thoughts or better ideas . . .

[More]