swa66 - 4:49 pm on Nov 12, 2012 (gmt 0)

To avoid too much detail:

Your CC processor will most likely be PCI "certified" on some level, but in the agreement he'll transfer some of his requirements to your customer.

So the first place to look is the agreement/the conditions of the CC processor and the obligations you incur that way - that's unless your customer has an agreement with the CC companies - then these come into play as well.

Storing things from a CC: completely avoid it if you can. if they pass on the least bit of the PCI rules, you'll end up needing hardened systems, cryptographic protections, regular audits, separation of duties, etc. And a lot of liability too if anything ever goes wrong.