Storing credit card information in the cloud to interact with rest based services

Question

I have an iPhone app that needs to process a credit card payment with a rest xml api that is hosted by another company. The service does not allow me to process a transaction with their previous saved credit card data. This posses a problem because i don't want the customer to have to enter their payment information with each transaction.

I was looking at setting up a parallel database and store the credit card data in the cloud with either amazon simpledb or dynamodb.

What i am wondering is if anybody else has had this issue, and what you would recommend is the best path to take. The solutions that i have considered so far are

option #1

• Use a Token Vending Machine to get credentials to access amazon simpleDB
• Store the token in the key-chain
• Encrypt the payment data on the phone using AES 256 encryption
• Upload the data to the cloud database
• When the user wants to process a transaction download/decrypt the data from amazonDB and process the transaction normally through the companies rest api

option #2

• Use a server side technology (ruby, etc)
• iPhone app posts to a server the rest URL missing the payment info
• Have the server communicate with amazon simpleDB
• The server app append the credit card data and process the transaction, and return the result to the app

option #3 ? is their a better way i should be doing this.

Answer 1

That is a really bad idea, you can't store credit card data like this. If you really want to avoid that the user has to enter payment information with every transaction store it locally on his device, maybe in the keychain. But only if the user explicitly allows this. You also might want to check with a lawyer about that, mishandling of credit card data can get you in a whole lot of trouble.