temporarily storing credit card information in database

Question

I maintain an internal web app used for customer relationship management (CRM) by company staff (agents and bookkeepers), there are no online sales/purchases all payment processing is done in person with terminals to accept credit card payments. Sometimes there are subsequent payments that have to be processed at later date away from customer.

Here's my scenario: A staff agent answers a call and requested to take a credit card payment the customer wishes to pay with, but since the agent cannot run the payment through the terminal (only the bookkeeper can) they take a note of the information and give this note to the bookkeeping staff to run the credit card payment on terminal at a later time.

Of course this is an insecure method of transferring credit card information as anyone could see in plain text what is written on the sticky note, including cleaners of the office, etc. When the payment is finally run by the bookkeeper and destroyed in a shredder.

Anyway, I got a request to store this information temporarliy until the bookkeeper runs it and deletes from the database. I can't find specific information about temporary storage and hoping someone can help point me in the right direction or give me a better idea of what the practices should be or if there are third party I can use.

So far what I think is to encrypt the cc data and store in db until the bookkeeper clicks delete in which case it will be removed from the database.

Final note; I am using PHP/MySQL and javascript front end.

Thanks for the help.

Answer 1

If your software handles credit cards in any way and for any period of time, you're in scope for PCI. PCI compliance is kind of a big deal and best left to a 3rd party vendor that specializes in this kind of thing. Storing credit cards even "temporarily" is asking for trouble.