Can someone explain to me how it's possible that places like PayPal Pro and Authorize.net state that they require their customers to be PCI Compliant when from what I can tell most people taking credit card information are not PCI Compliant?
From what I understand, one of the core aspects of PCI Compliance is that the web server and database server have to be physically separated by a firewall (on different physical servers). 99% of the websites out there taking credit cards are just using a shared hosting environment like GoDaddy, which is clearly not PCI Compliant from what I can see.
I have a client who needs to be PCI Compliant to use PayPal Pro, and it's going to cost a lot of money to do that. I'm certain that most people taking credit cards do not have two different dedicated servers running their website.
How is this possible?