>>>I know, I know, avoid if at all possible and use something like Authorize.NET.
>>>
>>>I'm being asked to store CC info in our DBs to perform recurring billing. "We're compliant" has been said and I've been told to use our broken encryption libraries to encrypt it. I need some info to throw back. Links to laws (state of Iowa), etc.
>>
>>Details of requirements for compliance here I think :
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf>>
>>But If they are not already storing this information how can they claim to be compliant ?
>
>They're already storing it other places (projects I wasn't involved with).
>
>Is PCI the law or a guideline? I understand it to be the law, no exceptions. Just wanted to verify.
Voluntary standards (nationwide)