Yes it does make you wonder, but from what I’ve been told, we process credit cards here through a third party portal, and that third party requires that we carry an active PCI compliance status. If I answer no to that question then Security Metrics will report that we are in a failing state and that CC processing company can choose to no longer provide us with that service. Perhaps Microsoft has that entire system completely isolated and those rules and regulations only apply to that specific network that is responsible for processing money.
We are way to small and I don’t have the resources to accomplish something like that and isolate the users/machines that process CC’s. Hell we only have one WAN link because anything over coax is too expensive for here. I remember the days when we had POS Partner ON SITE with stored CC numbers in the software and it wasn’t even encrypted! man things have changed.