Here is my advice, from the trenches: don't handle credit card numbers. Delegate that to a payment processor. All this talk about what to do to comply with PCI-DSS obscures the facts that (a) most companies would be better off not dealing with hazmat data like this, and (b) PCI-DSS could be reinterpreted more onerously at any moment.