A question that has arisen several times in recent weeks is what is required from Commerce Server from a PCI/CISP compliance perspective. The short answer is that Commerce Server falls above the stack required for PCI/CISP compliance.
The certification is required for infrastructure level components. Because Commerce Server is software, it would fall into Payment Application Best Practices but is not actually mandated for compliance.