Six ways you can bork PCI

Excessive Data Retention - By just accepting the business requirements for cardholder data retention, you may end up spending vast extra amounts of $ on HSMs and encryption integration. Challenge the requirements from the business to retain the PAN for refunds/reversals and other invalid reasons. You only need an authorisation number, unless you periodically direct debit a credit card number. You may even be able to shift the storage of PANs to your service provider if you require that functionality.

Not mapping business processes before commencing remediation - Whoops, we just found another payment gateway, another acquirer, some weird location/application that the PAN has ended up at. Read documentation (if any), interview stakeholders, perform walkthroughs with key personnel BEFORE you start buying product.

Neglecting change control - by forgetting about change control after the QSA walks out the door, configurations will wander back to insecure and easy to administer settings. By enforcing a nazi like approach to change management in your cardholder environment you can help prevent the greatest sin of all, enabling debug logging that stores PANs.

Forgetting about the web application - one SQL injection vulnerability in internet facing or customer service officer interfaces can bring the whole house down. If your application can unencrypt the stored PANs, then if it can be commandeered by an attacker to siphon off the numbers.

Key management - Where are the private keys that encrypt your data stored? Are they on the same box as the application server or database? Can they easily be changed without breaking the whole thing? There is a reason for buying HSMs, its called easier/more secure key management.