Well, PCI compliance is not difficult from a programming standpoint with OpenACS.
The difficulty comes in paying a third party to certify that the software is PCI compliant. iirc some vendors were asked to pay over 10,000USD in circa 2003 for third party auditing and certification.
Last I checked, circa 2004, Payment gateway services (and the credit card companies) did not require a vendor to certify their system if the annual revenue is relatively low (under a million USD or something). They just had to agree that they performed the audit on software they were part of author of, and that the software met PCI requirements.
Audits were done, but I'm not aware of any official certification bein published.
I think you can be confident in having ecommerce audited, that any issues found could easily be addressed.
That said, if you point to the PCI software requirements, I'll be glad to help identify how ecommerce and related packages meet the requirements.
cheers,
Torben