What "level" of PCI/DSS compliance are you going for?
I have to check this with the client. Credit card information will be encrypted and stored in client's own db.
Yup, this is exactly what they don't want people to do and I believe in the future they'll strive for just a handful of processors that will meet there criteria.
The client will be hosting it on their own office premise (the physical security aspect is being handled by another vendor).
I'm sure I'm talking way over my head at this point.... but this must be for a fairly large merchant (1M+ transactions yearly).
Not quite sure why one wouldn't use one of processors gateway facilities, there's convenient api's that would handle anything to do with cc's and at a "small fraction" of the price to set up and maintain.