webguyny - 8:18 pm on Sep 4, 2007 (gmt 0)

The answer will vary depending on the industry.

If you DONT store the CC in your own database and it gets housed in the payment gateway, i.e VERISIGN then there are some issues involving this. Firstly, Verisign or similar gateways will return a reference transaction associated with the credit card. (number, exp, type, etc). Depending on the card issuing bank, there IS an expiration associated to this reference transaction. Meaning, if you need to charge the card again in 3 months and the most recent transaction on record for the customer ID is 3 months ago---you cant. I've experienced some card #'s lasting for up to 6 months, but since I have customers purchasing once a year. I HAD to store it in our own database, with proper encryption of course.

The other issue is, if you decide to go from storing the CCS elsewhere to your own servers--you MUST ask how much would it cost to attain the necessary CC infos from prior customers using the stored CC (in payment gateway). They DO charge you based on volume.

If your application requires an immediate charge to the card and would never have to reference it in the future. Then I would not store the CC's in your own database due to liability issues.

Hope this helps