Storing CC Data so that a user can pay anytime like in App Store?

Hi Everyone, I have this huge issue because this is such a complex topic for a beginner like me to understand.

I want my users to be able to place reservations with their account, without having to re-enter their CC details every time. This would work like the app-store, where you press "buy", and after you confirm your order - it's a done deal.

Now, from a technical standpoint (I want my own payment gateway) this shouldn't be an issue if I stored the encrypted CC data in a DB and retrieve it to use with paypal pro.

However from what I read it's always a security issue, and even without that there are apparently strict restrictions and audits required for this to work. For a company located outside of US, this is even more difficult.

I looked into having the payments done in-app using Apples and Android's systems, however apple takes 30% of the cut. If a reservation were ever to come to $1000, it's impossible for this to work.


Honestly, what are my options?

Use a third party service like Authorize.net's CIM. Do not store the credit card details yourself.

I think you're underestimating the amount of effort and risk involved with storing credit card details. If you are found to be out of compliance, you could face fines of up to $100,000 USD per month.

There are several different levels of compliance that companies must meet depending on how they use credit card details. Using a hosted service like Authorize.net hosted CIM or most of PayPal's offerings (but not PayPal Pro) puts you at the lowest level, which makes it very easy to be in compliance. Storing credit card details yourself puts you at the highest level, which makes compliance very difficult and time consuming.

The document identifying the compliance requirements for the highest compliance level (the one required for you to store credit card details yourself) is about 50 pages long. Among other things, it has requirements like:
* Having designated personnel on-call 24/7 to respond to emergencies
* Having only one primary function per server (ex: you cannot have a web server, database server, mail server, etc. on the same machine)
* Having the ability to quickly roll-back all changes made to your production environment
* Having video cameras monitoring your servers 24/7 and storing the collected video for at least 3 months

(If you use PayPal Pro without storing credit card details, you will be at a middle compliance level.)

Thanks! Why exactly is using Paypal pro putting me at the middle level?