Discussed on mailing list, Chris said to open a ticket here with some PCI explanatory text. This is a first shot at it, very open to feedback.
Any website that collects credit card payment information is subject to the Payment Card Industry Data Security Standard (PCI-DSS). According to the PCI-DSS: "PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply."
Any payment module that collects credit card information will put your server under PCI scope, and require you to comply with PCI-DSS requirements. The exception to this is a module like PayPal or Google Checkout, where the credit card information is actually entered on PayPal's site. If the credit card information is posted to your server, you are under PCI scope. (It doesn't matter whether you store the information or not. Simply transmitting it is enough.)