>>>>>>>I know, I know, avoid if at all possible and use something like Authorize.NET.
>>>>>>>
>>>>>>>I'm being asked to store CC info in our DBs to perform recurring billing. "We're compliant" has been said and I've been told to use our broken encryption libraries to encrypt it. I need some info to throw back. Links to laws (state of Iowa), etc.
>>>>>>
>>>>>>Details of requirements for compliance here I think : https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
>>>>>>
>>>>>>But If they are not already storing this information how can they claim to be compliant ?
>>>>>
>>>>>They're already storing it other places (projects I wasn't involved with).
>>>>>
>>>>>Is PCI the law or a guideline? I understand it to be the law, no exceptions. Just wanted to verify
>>>>
>>>>I'm no expert but I believe it is a *requirement* of all major CC companies that any merchant.that 'accepts, transmits or stores any cardholder data' be PCI compliant. Level of compliance required depends on the number of transactions/pa made by the merchant.
>>>>
>>>>Saw this as well:
>>>>
>>>>"The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. "
>>>
>>>Thanks for the info. I'm quite distressed about this.
>>
>>Well presumably it's their job to prove compliance not yours. They are the 'merchant' ; you are the programmer ?
>
>[Redacted]

Backing up to the original question I see that Authorize.Net has a 'Automated Recurring Billing' option. Is there something there that won't fit your model ?