The PCI-DSS spec is used by organizations to evaluate their infrastructure as to whether it is in compliance. I've read the entire v2 doc before, and unlike most technical specifications it is more of a best practices guide for secure transport and storage for PCI data. This includes everything from switches, routers, servers, to tape backup and everything in between. In Microsoft's case this includes the Xbox itself and everything within their datacenters that PCI data flows through. Part of the spec states that storage of PCI data should be avoided if possible and gives recommendations around storage when it is deemed necessary for secure storage. Things like encrypted filesystems using hardware security modules help accomplish this. To jrj102 comment, it is very likely M$ chose not to store the data on the Xbox itself, but instead store it within their own network tied to your account in some way and thus greatly reducing risk.