Update: In the three years since I wrote this answer, I've learned more about PCI, and a newer spec has been released. While the information below is not wrong, step 1 puts you in PCI scope at the "D for Merchants" level, which is the most onerous.
The better way to handle this is to not touch the card data yourself. Either you use a form provided by your processor which sends them the data, or you just redirect to them (like with PayPal). Both options can put you at the "A" or "A-EP" levels, which are much easier to certify.
Either way, you would still receive a token, which is safe to store, so steps 3 and 4 are still applicable.
Original Answer:
I heard that for an alternative (and probably the easier option), a service provider (which you place the transaction with) will give you a key that can be used to retrieve transaction information.
This is true. Basically, the process is:
- Get credit card information from customer / user. Store in in-code variable (i.e. not a file, or a log, or a database).
- Send credit card information to your processor (such as Authorize.NET, Payware, Paypal, etc).
- Receive a response which includes a "token" of some sort. This is the way you identify this particular transaction for future communications with the processor.
- Store the token into your database. Encryption would be nice, but not necessary, since the token simply refers to "Transaction #12345", and has no sensitive information by itself.