2012/5/26 Ken godee <ken at perfect-image.com>: >>> What "level" of PCI/DSS compliance are you going for? >> >> I have to check this with the client. Credit card information will >> be encrypted and stored in client's own db. > > Yup, this is exactly what they don't want people to do and > I believe in the future they'll strive for just a handful > of processors that will meet there criteria. > >> The client will be hosting it on their own office premise (the >> physical security aspect is being handled by another vendor). >> > > I'm sure I'm talking way over my head at this point.... but > this must be for a fairly large merchant (1M+ transactions yearly). "The client will be hosting it on their own office premise" sounds really bad. Usually this kind of systems are located in really secured datacenters. -- Eero