I am about to inherit and work on a small business retail website that is very poorly designed. Among other things, the greatest concern is with the current credit card processing.
Currently, the owner retrieves credit card information (name, number, CVV2 and expiration date) from an online order form and saves all of that information in plain text within a MySQL database. A notification then gets sent to his email that someone has ordered. Thereafter, he has an administrative back-end page that he views the orders and credit card information which he uses to process offline with his own merchant.
After retrieving the information from the back-end page, the credit card number and CVV2 is immediately deleted (PHP script automatically called). The information is also deleted if that page is not accessed within 7 days. So, there is a potential for all of the information to be in the database in plain text for seven days before transaction processing.
This does not seem like a good design and may be illegal. If it is illegal, I am going to have to break this to him, because he does not realize that yet.
My question: Besides being insecure, is this illegal or a violation of terms of use (PCI DSS)? And, if so, how can I prove it to him so that he will allow me to change his ways (obviously, I don't want to put my hands into something that is illegal. Also, sometimes the wording of terms of use can seem subjective)? Finally, what are the best options for fixing this issue (3rd party online merchant, becoming PCI DSS compliant, or something else)?
That is a violation of PCI DSS. Not only are you storing information you aren't supposed to be storing (CVV) but you're not encrypting the credit card number (also a violation).
Even worse he is violating Visa and MasterCard guidelines which state that all online transactions must be processed using an ECI compliant device or software and Internet orders must have a separate merchant account. Their credit card terminal is definitely not ECI compliant as none are. They need to get a new merchant account and use a payment gateway like Authorize.Net to process these orders.
Edit
Since I doubt the webbsite owner will actually bother to get a new merchant account or implement a payment gateway your best bet is to use two way encryption to store this information. Then make sure the page they use to retrieve the credit card information is encrypted (SSL cert) so the information is secure from end-to-end.
I highly recommend getting an Internet merchant account and using a payment gateway like Authorize.Net. Besides being PCI and ECI compliant and just the smart way to go, the potential for the business to not only lose their merchant account but to be blacklisted and prohibited from ever have a true merchant account again is very high. All it takes is one chargeback for their merchant account provider to realize what they are doing and for the trouble to start.