PCI Compliance is geared towards any business that accepts credit cards. Sounds like you guys don't accept credit cards directly on your site (i.e. no direct admin control over payment page). If your customer's info is being stolen, the problem may lie in that third party payment page.
Volusion, Authorize.net, etc have issues of their own. I've dealt with their vulnerable payment pages before as a PCI Compliance Network Vulnerability Analyst. I'd check with them if info keeps getting stolen.
To anyone reading: while I've seen vulnerable payment pages for those services, please don't take that to mean any of those services are automatically not secure.