So, having read quite a bit more on this, it seems like the whole pcisecuritystandards.org seems geared toward funnelling visitors toward a small cabal of Qualified Security Assessors (QSAs). If I'm not mistaken, it all comes down to the specifications demanded by your acquirer (i.e., "merchant bank") and in some cases you can get away with filling out a Self Assessment Questionnaire (SAQ).
I'm hoping you folks might help me determine which questionnaire might be applicable to a website under development. This site has two payment options. One involves creating a tokenized billing agreement via paypal (we redirect to paypal site where user agrees to let us bill their paypal account). The other is a securely-hosted form where users may enter their credit card details and we submit these (securely) to a payment gateway to create a tokenized payment id which we can use to bill the user in the future. We do not store any primary account numbers or CVV codes but we do store addresses for users and we want to store an expiration date for these payment methods so that we can act appropriately when a payment method expires.
Seems to me that SAQ-C might be appropriate:
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels.
Any input would be much appreciated.