As you consider ways in which to provide safe escrow for the customer's personal information, you might consider consulting your corporate attorney to get an appropriate waiver of liability in place.
By storing the credit information beyond the life of the immediate transaction with your payment service, you're opening yourself up to additional exposure to yourself that I'd imagine isn't covered by the contract with the credit card processor.
It looks like you're stuck in the realm of symmetric encryption techniques for the information, and there are steps you can take to protect your encryption keys. But even with good physical and software security (hardcopy keys in bank vaults, regular key rotation) it would be prudent to limit your liability.
Something else to to check into is any additional privacy regulations that may apply if you end up being a financial "intermediary". One of particular note is Graham-Leach-Bliley which requires certain disclosures when you have certain roles in financial transactions. Again, a real legal opinion is probably your best bet here.
Slashdot Mirror
As you consider ways in which to provide safe escrow for the customer's personal information, you might consider consulting your corporate attorney to get an appropriate waiver of liability in place. By storing the credit information beyond the life of the immediate transaction with your payment service, you're opening yourself up to additional exposure to yourself that I'd imagine isn't covered by the contract with the credit card processor. It looks like you're stuck in the realm of symmetric encryption techniques for the information, and there are steps you can take to protect your encryption keys. But even with good physical and software security (hardcopy keys in bank vaults, regular key rotation) it would be prudent to limit your liability. Something else to to check into is any additional privacy regulations that may apply if you end up being a financial "intermediary". One of particular note is Graham-Leach-Bliley which requires certain disclosures when you have certain roles in financial transactions. Again, a real legal opinion is probably your best bet here.