>>I know, I know, avoid if at all possible and use something like Authorize.NET.
>>
>>I'm being asked to store CC info in our DBs to perform recurring billing. "We're compliant" has been said and I've been told to use our broken encryption libraries to encrypt it. I need some info to throw back. Links to laws (state of Iowa), etc.
>
>In addition to what everyone else has offered here - one thing that I know is important is that you do NOT store the credit card's 3 digit security code number anywhere in your database.

We are a financial software company and there are ton's of regulations...

can't store the cvv,
cant store the plain number, must be encrypted with only the last 4 numbers showing, etc.
cant be used on wi-fi networkds,
must be moved offline to a secure locked facility after hours...
on...and on.... and on...