2012/5/26 Ken godee ken@perfect-image.com:
What "level" of PCI/DSS compliance are you going for?
I have to check this with the client. Credit card information will be encrypted and stored in client's own db.
Yup, this is exactly what they don't want people to do and I believe in the future they'll strive for just a handful of processors that will meet there criteria.
The client will be hosting it on their own office premise (the physical security aspect is being handled by another vendor).
I'm sure I'm talking way over my head at this point.... but this must be for a fairly large merchant (1M+ transactions yearly).
"The client will be hosting it on their own office premise" sounds really bad. Usually this kind of systems are located in really secured datacenters.
-- Eero