PCI Compliance is an area of particular concern for companies considering moving some of their activities onto the Cloud. This paper discusses how such concerns are really nothing new, that they are simply the latest manifestation of underlying friction that has long existed between merchants and payment card processors. The paper reviews the most common complaints made by merchants and shows how they are largely based on misunderstandings of the purpose and nature of the compliance procedure and argues that any company with a sound approach to security should have little problems with the process. It concludes that properly understood and applied, the PCI Compliance process can be of real benefit to businesses not just in absolute terms of achieving compliance but as a good starting point in developing a more effective overall approach to security.