[lug] Letting folks pay from the web.

[Landon Cox]

Regarding the issues of storing cards:

You can comply with PCI rules fairly easily except in one case.  PCI  
states that you can never store the CSC number, even encrypted.  For  
one-time purchases, not a big deal.

While it's probably not Jeffrey's festival case, if you ever need to  
charge a customer's card on a recurring basis, whether it's a  
subscription or Pay-per-whatever where you keep running the same card  
periodically (pay-per-click is an obvious example where you charge a  
deposit, then over a period of time, virtually exhaust that deposit  
and then charge another to "refill"), you don't want to have to keep  
asking for the customer's card.

In the case of PayPal, they have a subscription-type transaction, but  
that works on a specific interval.  If you have a non-standard,  
sporadic interval like a pay-per-whatever model, PayPal doesn't  
provide anything that helps.

All that said, the thing I've found that works for this model is CIM,  
which is an Authorize.net "Customer Information Manager".  You can  
manually or through an API create customer profiles, payment profiles,  
collect their card info once and let Authorize.net manage the card  
info security issues for PCI compliance....this includes the CSC  
number.  CIM is an extra monthly charge on a merchant account, but is  
worth it to not have to bother with PCI rules at all and you can  
easily insure your customers (via an audit if you have to) you have no  
database or process which stores their numbers on your servers.

Landon