>I know, I know, avoid if at all possible and use something like Authorize.NET.
>
>I'm being asked to store CC info in our DBs to perform recurring billing. "We're compliant" has been said and I've been told to use our broken encryption libraries to encrypt it. I need some info to throw back. Links to laws (state of Iowa), etc.

Lot of misinformation in this thread.

PCI compliance does not, per se, involve specific details but rather is a set of goals, most of them pretty vague. For example it is a requirement of PC that your network be secure. In no way shape or form does PCI specify how you must do that. You simply have to demonstrate that you achieve the stated goal. The goals are different for the merchant than for the software vendor.

PCI has no legal standing, it is a set of guidelines. It is separate from guidelines from the MC/Visa consortium. (AS a note, Amex and Discover do not share the same processing system as MC/Visa, but generally implement whatever guidelines MC/Visa decide upon. They may or may not have additional requirements. In common usage people refer to cc guidelnes when they really mean MC/Visa guidelines.)

The merchant's PCI standing has little to do with, and is far more complex than, standards for contract developers or software VARs.

PCI audits can be external or self certified, and again are for the merchants.

There is no prohbition of storing cc numbers provided they are encrypted. This is a MC/Visa standard, not PCI. However one thing MC/Visa is extremely strict about is storing the 3/4 digit code. Storing it at all, encrypted or not, is a violation that can result in permament revokation of merchant charging priveleges.

The actual point of sale transaction, if done thru authorixe.net or PC Charge, is automatrically by definitaion PCI and MC/Visa compliant. The developer then must deal with how the cc info is stored or archived.

I am presenting on this topic at SW Fox, and have spent many hours in research. However nothing in any post or communication from me may be considered legal advice.