I would make sure that the numbers have an encryption on them and DO NOT store the 3 digit CSV number from the back of the card.
In short, you're in big trouble if that happens. The best idea of course, is not to store credit card details at all (consider very carefully whether you really need to). As ServerUnion says, you'd have to store it all in an encrypted form anyway, preferably on a machine not connected to the Internet.
It appears to me that popular open source script Oscommerce stores credit cards in a database without encryption. Is this true?
I doubt it. Seems to me it splits the card number in half, emails half and puts the other half in a database.
Serious. In some states, such as California, upon fidning out of the security breach you would be legally required to contact everyone whose card was potentially compromised and alert them. This is true whether you store them on paper or on a computer. The best advice, don't store credit card information. Or you can always let a third party do it for you.
There are many laws that restrict you from storing clients credit card information in a database. As browntown has stated, you could be legally responsible if anything where to happen.
You will need to meet the VISA/MasterCard security standards. I would STRONGLY suggest you contact your payment processor. Here are my 10 cents, but it is not legal advice. All data should be encrypted. All data! Never store the CVC code. For support related systems, only display the last 4 digits of the credit card number Make sure your system is behind a firewall and other security hardware You should really contact your payment processor though. Take a look at this: http://www.securitymetrics.com/sitecertinfo.adp
I wouldn't suggest storing credit cards in a database. :-\ If you really have to, use a script like osCommerce as it is already secure.
How about if you have oscommerce installed on a shared hosting account with a web host like Godaddy? Is that considered secure?
This is more about protection, not if you get hacked. If you made no effort to protect the data, plan on settling with a few states, mainly new york