I'm not sure if you're citing PCI rule to say that the requirements are too strict or because you think most people ignore them, but I'll bite anyway. You might be right that PCI is commonly ignored (it's a contractual requirement, not a regulatory one, so the risk of non-compliance is much lower than with other data protection rules), but IMV, the requirements are pretty sensible.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Err.. quite tricky when your machine is a virtual host that you're accessing over the Internet. Whatever firewall you set up, _you_ need to have a way around it. Very few people bother with VPNs or the like; most virtual hosting packages I've seen have FTP and other services open to all. This seriously compromises its security.
If your hosting package doesn't allow you decent control over the firewall, it has no place in an ecommerce platform.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Most web development companies I've worked with always want to transfer data around over unencrypted FTP, often including database backup files. The chances are, if you have a subcontractor handling your e-commerce web site, they're violating this requirement on a regular basis.
Use a different web development company. I'd be unlikely to want to deal with any developer who ever suggested FTP for the transfer of important data.
Requirement 5: Use and regularly update anti-virus software
Oh, yeah. Everyone has antivirus installed on their web servers. Wait... you mean they don't? What's this Linux thing?
If Linux and Windows boxes share the same network, you should run anti-virus software everywhere.
Requirement 6: Develop and maintain secure systems and applications
Ha!
Yup. Have coding standards, peer review of code, formal test and release cycles, segregation of duties between ops and dev staff, a viciously strict regression test cycle and systematic testing for SQL injection, cross-site scripting, etc. It's not rocket science.
Requirement 9: Restrict physical access to cardholder data
Somewhat difficult when you're not hosting the system yourself, so this requirement can only be met by less than 1% of e-commerce retailers out there.
Your contract with your hosting prvider should address these security issues - in fact, they should be able to confirm that they're PCI compliant themselves. If they can't demonstrate that physical access to data, including backup tapes, is properly controlled, you need another hosting company.
Requirement 11: Regularly test security systems and processes
When was the last time you performed a penetration test on your network?
We schedule frequent (but deliberately irregular so that our ops guys don't know what's coming) internal and external penetration tests. I'm appalled that anyone one should consider building an ecommerce platform with commissioning pen testing.
We're not required to be PCI compliant, but I know we'd pass a PCI audit with very little difficulty. The standards simply reflect good practice, and we aren't interested in being second rate.