>> What "level" of PCI/DSS compliance are you going for? > > I have to check this with the client. Credit card information will > be encrypted and stored in client's own db. Yup, this is exactly what they don't want people to do and I believe in the future they'll strive for just a handful of processors that will meet there criteria. > The client will be hosting it on their own office premise (the > physical security aspect is being handled by another vendor). > I'm sure I'm talking way over my head at this point.... but this must be for a fairly large merchant (1M+ transactions yearly). Not quite sure why one wouldn't use one of processors gateway facilities, there's convenient api's that would handle anything to do with cc's and at a "small fraction" of the price to set up and maintain.