Responsible Handling of Billing Information?

moving on asks: "I've been asked by a client to build a fee based subscription service using surepay as the vendor for processing credit card transactions. Subscribers to the service will be billed X amount per month and that is the rub. Surepay does not offer recurring billing so I will need to store credit card numbers and related info. The question is then, how does one best do this in the most responsible manner?" The trick here is giving consumers the service they have come to expect from most websites, without exposing their personal information to would-be thieves. Do you think such a system is possible?

Security vs. Convience

[geekoid]

Like most security question, ultimatly this boils down to Security vs. Convience.
I've worked in a number of arenas tha involve handling credit card information.
Here is some of the mistakes I've seen, maybe you can avoid doing them.

I contracted at a known online shopping company. When I sat down at a terminal, my access gave me permissions to the database. My machine had a floppy drive AND a zip drive. none of the CC information was encrypted. I told my manager of that was a security problem? his response? released me for being a threat to their company.

there are at least three lessons in that story.

The only way to gain more security is force pin number use onto consumers. Not perfect, but a lot better. Oh yeah encryot it for goodness sake! good encryption. Also CC numbers that expire every 30 days.