Re: PCI-DSS Compliance
Nearly correct, it's if you handle an un masked PAN, CVV2 etc. not just storage in the triditional sense.
Equally you can't store the CVV2 number or for that matter a copy of the tracks from the card's magnetic strip.
Equally unless you use clear network segregation other systems could well be within scope of PCI...so if they take payments by phone the web site could easily still be a PCI compliance issue.
This is not by any stretch of the imagination the DVLA's worst security issue in recent times involving piss poor web site security.
Perhaps El Reg may want to submit an FOI request...the response would evidence the quality of the DVLA's incident tracking process if nothing else.