rocknbil - 6:29 pm on Nov 21, 2011 (gmt 0) [edited by: rocknbil at 6:31 pm (utc) on Nov 21, 2011]
We can't give legal advice here, but google for "storing sensitive information legal issues" - if your client is not terrified of assuming the liabilities of this approach to sensitive data, he/she will be after reading up.
The other way to approach it is, okay, you are so bull headed you want to go for it? Here's what you need:
- A secure PCI compliant server, under your control. No you can't pays someone to host it - or if you do, it has to be under an (expensive) agreement and insured against any data breach (I don't know if any hosting company will even step up to that one)
- Control over the distribution networks, and regular audits of those networks to insure they are secure.
- Regular PCI compliance scans, and audits by security professionals
Internal audits of all computers connected to this network, and regular updates to insure their security.
- Personnel audits of the people accessing this data.
- Insurance to cover any incidents of data breach.
You could go on . . . the point is, is he/she willing to pay for the liabilities that may arise?
I'd walk away.
[edited by: rocknbil at 6:31 pm (utc) on Nov 21, 2011]