I have recently found out that to be pci compliant, your entire server must be pci compliant, or you better not allow anyone even type in their credit card number into a page on your site - whether you are storing it or not. My question is this: If a site is deemed not pci compliant, and the site is compromised, who is liable? I ask because I hosted and developed a few sites that take cards in non-compliant ways, and have notified my customers, but they are not exactly being quick with their responses. So, am I liable or are they, for the super steep fines if something awful happens?