http://qs321.pair.com?node_id=780887


in reply to collecting sensitive data

You're getting into a big deal, but I'm guessing you already know that. For a standard you may want to start with, look at the PA-DSS. This is the Payment Card Industry's (PCI) standard for applications. It talks about handling sensitive credit card data and I think will provide you with a good basis.

But the best advice is never store sensitive data longer than you need to. As soon as you can get rid of it - do it.

Also have someone knowledgeable with secure handling of data review your design and your final implementation. Even if you feel comfortable with securely handling sensitive data, it's always better to get a second opinion.

grep
One dead unjugged rabbit fish later...