Samir,
The most secure option would be not to store credit card numbers. Any other
option will provide an invitation to hackers, law suites, embarrassment,
etc., so you should really think twice and consider whether the benefits
outweigh the risks. Anyway, if there is a valid business need to store
credit card info, you should encrypt it (unfortunately, you cannot use
hashing because you will need to get the original plain text values).
Encryption is no big deal here: there are tons of examples on the Web. The
main problem you will need to solve is protection of encryption key, and
there is not silver bullet here. Whether you use a public-private key or
symmetric key, you will need to do something to protect it and it ain't
easy. Depending on the type of your environment, support model, application
requirements, and a number of other factors, you must pick the most secure
option, which suites your needs. I would suggest checking the "Protect It:
Safeguard Database Connection Strings and Other Sensitive Settings in Your
Code" article
(
http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/), which
offers some suggestions, but don't expect it (or anyone else who is not
closely familiar with your application) to give you detailed instructions. I
assume that you also realize that all transactions should be done over SSL
(HTTPS).
Alek
