Nonetheless, the credit-card companies want them to pay for a quarterly "network penetration test" on their website, and to provide detailed technical information on the website set-up. Since their web-site is hosted by a big ISP, they have no access to the necessary technical info, and the ISP doesn't really want network penetration tests pounding on their infrastructure all the time. This is a mess.
It is called PCI-DSS Compliance and it has been standard practice for years. If you don't store any credit card details then the compliance process is relatively straight forward, it takes a couple of hours and only has to be done once. The security scans are to verify that the web server is secure. If you use a web host that is already PCI compliant then the scan is just a formality.
On the other hand if you choose to store credit card details on your server, which there is no valid reason to do then it does becomes much more complicated. You also open yourself up to huge liability and a PR nightmare if you ever have a security breach and those credit card details are stolen.
Either use a third party processor and pass the credit card details straight on to them, or if you want your customers to be able to re-order without having to put in their credit card details again then use a token system. There is no reason to store the card details yourself even for a short period of time. Why doesn't the retailer you work with just store a transaction id to show the transaction has completed successfully?