PCI Level For Storing Credit Cards

I was just wondering开发者_StackOverflow what would be the PCI certification level if you were storing encrypted credit-card numbers for recurring billing.

I plan to have less than 20,000 transactions annually, however, with the storing credit card numbers I am not sure.

---

If you really (really) need to store card numbers, then you fall into the strictest level of PCI compliance. That requires annual on-site audits, quarterly network scans, and (as you may already be aware) will be very costly. This is regardless of number of transactions. (The old first drafts of PCI gave different levels depending on quantity of cards processed. That is no longer the case)

If you can use a 3rd party to store/process the recurring billing then you drop into a lower level which requires only that you complete a Self Assessment Questionnaire (SAQ) annually. Most payment service providers will be able to help with recurring billing if you discuss your requirements with them. Recurring billing (as you know) has extra complications in that cards can expire/be discontinued/replaced mid cycle

If you're at all in doubt, then now would be the best time to start speaking to QSA's (Qualified Security Assessor). If you discuss your situation over the phone they will be able to advise exactly where you stand. Ultimately, unless you go with a 3rd party Payment Service Provider you will need a QSA to assist with bringing your organisation into PCI compliance.