If you're storing encrypted CC numbers, Visa has some pretty specific requirements (and some pretty hefty fines for violating if you are hacked and the numbers are leaked)
Check the CISP recommendations. If you store numbers, you must tell your merchant bank that you are doing so and sign paperwork with your acquirer that you are indeed following CISP.
Not that everyone and their brother doesn't store credit card numbers on publically accessible machines -- I believe buy.com was the first company fined under the CISP regs when they leaked 10k credit card numbers.
With that said, I think there is AES support for AOLServer (although I don't believe AES is an acceptable encryption method with CISP)
Starting Jan 1, 2004, there is a manditory annual compliance statement that needs to be signed by the people in charge.
Then, the paperwork gets even more fun when you go for that Verified by Visa logo.
After you get done explaining to Visa why you need to store credit card numbers, give Mastercard a call. They have their own compliance which closely parallels Visa. American Express has some other limitations for numbers held for them. All in all, its not a fun task to be in compliance -- and a project that I've got to deal with in the near future.
If your client deals with a gateway processor already, you might ask them what API they have in place to allow either recurring or recurring+addon charges. Your gateway will have already gone through compliance -- and then you don't have to worry about having numbers stored on a machine.
If I recall, Jerry Asher and I hashed this before
https://openacs.org/forums/message-view?message_id=120984
