Ross,

Great question! And I feel like this is a huge unspoken FAQ that many people avoid because they fear the answer. Like many things in life, it depends.

I've been cautioned against answering your question outright. Let me first direct you to the whitepaper it appears you've already read:

http://drupalpcicompliance.org/

And I recommend you contact Commerce Guys or Rick (the organizer of the PCI whitepaper) directly: http://rickmanelius.com/contact

Josh

PS: Below is my best attempt at an actual answer along with a lengthy disclaimer.

DISCLAIMER: Before I continue I want to reaffirm that the advice I'm giving you below is simply "best practices" and in no way represents exactly what you should do. In other words, I don't want to be held liable for any of your actions just because I'm answering a question :)

In general, the best practice with any eCommerce project is to push as much of the liability of the transaction to the payment gateway. In your case, you're using Authorize.net AIM which is not what is called a "transparent redirect" and as such would require a higher level of PCI Compliance to be considered safe.

In general, you can choose to apply for any of the PCI Compliance Levels. Of course we all want the most secure option for the least amount of money, so you are limited by whether or not you can self-certify (self-certification isn't necessarily the easiest or cheapest every time) and what level of PCI Compliance is considered "safe." That is up to you and those you have hired for the project to determine.