If you are processing credit card payments you are supposed to adhere to the PCI-DSS standards which do include encrypting Cardholder Data goto https://www.pcisecuritystandards.org/
Get the self-assessment questionnaire and work through it.
Encrypting columns, rows or tables in your database is trivial, pgcrypto will do this for you if have postgres. Or you can hack something together w/ http://php.net/openssl pretty easily. Whatever you do, don't try to write your own encryption routines, people will laugh at you and Moldovan teenagers will buy BMWs with your customers money.
Set up views so that non-finance personnel see the last four digits only, and those with a need to know can see the full PAN and have their accesses logged to an audit table that cannot be altered without superuser privileges.
Right now you can slide by, but in a few years your payment gateways and merchant banks are going to be insisting that even small processors have outside audits.
And according to the standard you should never store the cvv2 code, you should request it each time.
Since the CVV2 may not be stored by the merchant for any length of time[2] (after the original transaction in which the CVV2 was quoted and then authorized and completed), a merchant who needs to regularly bill a card for a regular subscription would not be able to provide the code after the initial transaction.
you can also process transactions without a cvv. credit card companies just charge you (the vendor) more for these transactions, just like those without verified addresses and cards entered by hand versus those swiped through a reader.
Get the self-assessment questionnaire and work through it.
Encrypting columns, rows or tables in your database is trivial, pgcrypto will do this for you if have postgres. Or you can hack something together w/ http://php.net/openssl pretty easily. Whatever you do, don't try to write your own encryption routines, people will laugh at you and Moldovan teenagers will buy BMWs with your customers money.
Set up views so that non-finance personnel see the last four digits only, and those with a need to know can see the full PAN and have their accesses logged to an audit table that cannot be altered without superuser privileges.
Right now you can slide by, but in a few years your payment gateways and merchant banks are going to be insisting that even small processors have outside audits.
And according to the standard you should never store the cvv2 code, you should request it each time.
HTH