in reply to collecting sensitive data

Reading through this would at least be a start. I'd like to echo the concerns listed above though -- you really ought to think twice about this. I work in the retail industry and PCI requirements are both complex and, at times, convoluted. Your very first step should be talking with legal counsel...and perhaps some psychological help while you're at it.