1) i don't believe that the act of storing the information in plaintext is illegal, but it could contribute to negligence suits if you mess up.
2) 2- or 3-TDES (http://en.wikipedia.org/wiki/Triple_DES) encryption; fully secure & restrict access to whatever database you use and whatever system holds the database; SSL connection (obviously).
having said all of that, is there a reason why you're not using something like paypal, amazon FPS or some other payment service? they kind of take the work out of this stuff by providing a secure way of accepting payments, including recurring stuff with stored CC#s.
TDES is old, but its still widely used specifically in the online payments sector. i mentioned it specifically because there's probably some existing solutions to be found.
i'm definitely not an expert, though, and the question was better addressed by someone else.
2) 2- or 3-TDES (http://en.wikipedia.org/wiki/Triple_DES) encryption; fully secure & restrict access to whatever database you use and whatever system holds the database; SSL connection (obviously).
having said all of that, is there a reason why you're not using something like paypal, amazon FPS or some other payment service? they kind of take the work out of this stuff by providing a secure way of accepting payments, including recurring stuff with stored CC#s.