AustinGuy - 7:48 pm on Jul 6, 2009 (gmt 0)
The best PCI guidline to follow is don't store any credit card numbers at all, thus eliminating any risk. If you must, store the last four. If your data gets compromised, the credit card company will go after your bank then your bank will go after you and can charge fines etc. We had a consulant come in and helped explain the somewhat vague PCI guidelines to us. If you do have to store the whole credit card number, every network and server that touches your database and web server must also be PCI compliant to prevent someone getting in from the backend. I was in PCI hell a few months back and unfortunately learned too much about it.