Dealing with credit card data that is not charged directly

I have a client who is a reseller for vacation packages. For years they've had a payment form on their site where the end user would fill out their credit card data and the information is emailed to the reseller. BAD... I know. The only security they had implemented was the page was SSL.

The client then signs into their wholesaler account and charges the card there.

As a new client, we told them this is bad and needs to be handled differently.

So my question is, what would be the proper method for temporarily storing credit card data? Or do you know of a service that the full credit card data can be passed to but not charged and is secure, PCI compliant? They'd have to sign in to view the credit card, and then charge it via their wholesale account.

I really don't want to store credit card data in their website's database... I inquired, asking if the wholesaler provided them with silent post options, or am embedded form they can use.

I looked into Stripe but it stores the card as a token.

Any advice is much appreciated.

I just honestly think this whole request from my (potential client) is out of whack and I want to make sure we handle it correctly, securely, and properly.

Asked by user414 (246 )
Nov 11, 2014 at 20:52