Ask HN: Can someone explain PCI compliance to me in a nutshell?

I don't know how much value you're going to get from a "in a nutshell" explanation here. PCI compliance regulations are moderately complex and have at least a handful of ambiguities and what-not, like any complex spec. If you want to "roll your own" payment processing and store credit cards, you really need to bite the bullet[1], download and read the spec, and - if you don't feel pretty confident that you understand it - hire a consultant who specializes in this stuff to help out. In either case, you should have a PCI compliance audit done eventually to help ensure that you really are in compliance.<p>Then, even after that, you have regular reports to do, etc., etc. Being, and staying, PCI compliant can be a huge time sink.<p>All of that said, would a service like Spreedly[2] work for you? I believe they can handle recurring payments / subscriptions, and they take care of making sure everything is PCI compliant, so you don't have to do all of that work. Unless billing and credit card processing is a core competency for your company, I can't help but think you'd be better off outsourcing that bit.<p>[1]: <a href="https://www.pcisecuritystandards.org/security_standards/getting_started.php" rel="nofollow">https://www.pcisecuritystandards.org/security_standards/gett...</a><p>[2]: <a href="http://spreedly.com/" rel="nofollow">http://spreedly.com/</a>

Honestly I am from Spreedly but you should really just use Spreedly. It works with 45+ payment gateways so I would hope there's one that would work for you. You don't want to do this yourself.

Your understanding is correct - you cannot store CVV under any circumstances. There's no way around this. When we do recurring payments, we're only able to pass CVV on the first transaction.