PCI Compliance and Tessitura Credit Card Processing

Hello Tessiturians,

This is mainly for those of you who have become PCI compliant and are still using Tessitura to process credit card payments.....How have you managed to do it?!?

The scope of PCI says that the card data environment includes any systems that store, process and / or transmit cardholder data.  Alot of people seem to be trying to de-scope by turning off card storage, but in my opinion, and that of 2 QSA's that visit us, this isn't the case.  By that definition any machine that has Tessitura installed must be PCI compliant.  We did try to get around this with our QSA by suggesting Citrix Xen App, where by the application is running on a remote server, and all communication is encrypted, the user can't even copy and paste out of the Xen App, however the QSA advised that since the user is still entering the card number on that end machine, it is still in scope...how are other people solving this?

The second one, which was recently sprung on us...according to requirement 1.2.1:

"Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment."

The QSA recently advised that this would basically mean, only Tessitura could be on the machine, as things like email and "general" internet access could not be deemed necessary for the cardholder data environment.  The suggestion to resolve this was to put a machine in the room that had email and Internet but this completely ruined our communication lines.  How are people resolving this issue?

We are started to really struggle with this, and putting it off really isn't an option anymore as we are being pressed by our merchant bank.  Does anyone have a magic PCI compliance pill or something?!?