>>>I know, I know, avoid if at all possible and use something like Authorize.NET.
>>>
>>>I'm being asked to store CC info in our DBs to perform recurring billing. "We're compliant" has been said and I've been told to use our broken encryption libraries to encrypt it. I need some info to throw back. Links to laws (state of Iowa), etc.
>>
>>In addition to what everyone else has offered here - one thing that I know is important is that you do NOT store the credit card's 3 digit security code number anywhere in your database.
>
>We are a financial software company and there are ton's of regulations...
>
>can't store the cvv,
>cant store the plain number, must be encrypted with only the last 4 numbers showing, etc.
>cant be used on wi-fi networkds,
>must be moved offline to a secure locked facility after hours...
>on...and on.... and on...

Yeah the list goes on forever. I worked somewhere a while back that had a web developer that was oblivious to these rules - stored everything in a mySQL database unencrypted (including the 3 digit security number). Then one day he called me wondering why all the credit cards numbers in the database were now all the same number. Making long story short - the website and mySQL database had been hacked. Was a huge mess - had to contact all the customers & tell them what happened, setup a 1800 number for people to call in if they were concerned..etc etc etc. Needless to say the "web developer" was fired. Turns out it was the nephew of the owner - a 17 year old kid & this was his first project. I was the one tasked with redesigning the backend database so that it met all of the rules and requirements - so I learned first-hand just how many of these rules and such exist - there are a LOT.