[dankohn1]

I'm a fan of using client-side encryption so that the database only ever stores encrypted content, and therefore can be treated as out-of-scope for PCI compliance purposes.

Take a look at https://github.com/braintree/braintree.js which is a nice library for encrypting data with a public key before being uploaded.

This is a specific exception to the generally correct concept that Javascript cryptography is bad and should be avoided. http://www.matasano.com/articles/javascript-cryptography/ Of course, it's essential that the whole transaction take place over SSL.

And even then, you still need to have a set of machines that can read from the database and access the private key, and those machines must be highly secured, as well as supporting requirements like key revocation and key rotation.