There are many open source shopping carts that don't have any PCI compliance certification.
Is it legal to sell/distribute ecommerce related software that isn't compliant?
It makes no sense, since if the source code is modified in any way, you probably have to re-certify the software again correct?
My understanding of PCI compliance is that the person handling the credit card personal info or storing it needs to be compliant (so paypal, google checkout, etc).
Do these open source shopping carts take a credit card number, and expect you to run the transaction through the credit card company yourself?
This link sort of gets to the point: http://selfservice.talisma.com/display/2n/index.aspx?c=58&cpc=MSdA03B2IfY15uvLEKtr40R5a5pV2lnCUb4i1Qj2q2g&cid=81&cat=&catURL=&r=0.644091963768005 It depends on if you "process, store or transmit payment cardholder data".
My understanind is that PCI is from the credit card companies and so is a policy of use and not a legal / illegal thing.