>I know, I know, avoid if at all possible and use something like Authorize.NET.
>
>I'm being asked to store CC info in our DBs to perform recurring billing. "We're compliant" has been said and I've been told to use our broken encryption libraries to encrypt it. I need some info to throw back. Links to laws (state of Iowa), etc.

In addition to what everyone else has offered here - one thing that I know is important is that you do NOT store the credit card's 3 digit security code number anywhere in your database.