I think we may well be singing from the same hymn sheet. We must do all in our power ie comply fully with PCI DSS requirements. For most of us "Level 4 Criteria Merchants with less than 20,000 transactions would apply:
ie: Annual Self Assessment Questionnaire. Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria)There is usually no need to report compliance but must nevertheless achieve and maintain compliance.
I have not read my merchant agreement in a very long time. It dealt with a manuual swipe machine and required me to keep copies of all the cards I dealt with for a life time in case of any questions. Must dig it out if I can find it.
I really don't think too many of us with oscommerce sites will be in the same league as TJX's "29 million MasterCard victims and 65 million Visa victims " By the way, they still accept Visa & Mastercard.