I thought long and hard about not storing ANY customer data as well, but we use it for so many things that it did not make sense for our business not to keep their name addy and email local. We have opt-in emailing lists embedded in our web app for one thing, and for another, customers occasionally need to go back and tweak a transaction after it has already happened, and they use their email for this purpose. The advice I was given was as long as you keep no trace of credit card data and you SSL everything to your gateway you pretty much dodge the PCI bullet.