I've been doing some security work in Windows 2008 recently for a client, one feature I've really come to like in IIS 7 is Request Filtering.

You can configure Request Filtering at the server wide level, and then override or enhance the filtering at a site / application level.

It's no secret by now that if your web site sees credit card numbers (even if they are passed to a third party gateway) you need to comply with the PCI DSS standards.

Requirement 4.