The implementation of a PCI DSS compliance program can seem like a no-brainer to the Seasoned Security Person™ who's been saddled with (or taken on!) such a challenge. That may very well be the case, but there are some caveats which have little to do with the technical aspects of security. I hope the below will serve to save someone the (ahem) "novelty of discovery".
Note that this list will change over time as my experience with DSS compliance programs evolves.
* If your organization is a self-assessment-eligible merchant, you don't need a QSA (strictly speaking), but it can be helpful to know what the "right" answer at times when the way is not well-lit.
So, there you have it. Your technical chops may be top-notch, but unless you consider the non-technical aspects of such a compliance program (buy-in, funding, governance), you're likely to find yourself in the weeds. Symptoms include, but are not limited to: elevated blood pressure, rash, spirit voices demanding that you do unspeakable things, sleep-writing letters of resignation, etc.