also, its my understanding that PCI is required for anyone who 'transmits' card data, i.e anyone who uses the chargify API. If you dont have your game tight you are not PCI compliant and liable for any card data losses, regardless of chargify being compliant.