@bizpro1 While Security Metrics certainly seems to be a joke, if you accept credit card payments, you still need to be PCI compliant.
In short:
If you accept credit card payments, you have a merchant account, and the ability to log into that merchant account.
Whether you personally would be able to pry sensitive financial information out of your merchant account is irrelevant. If your equipment becomes compromised, bad actors would then have access to said merchant account, and they are able to do just such prying.
It's basic data security.
