You will need to follow (to the letter) and preferably exceed the PCI DSS standard. This is, in no way, an easy task to accomplish nor should it be taken trivially.
I strongly recommend that you find a third party processor that can handle this for you and integrate it into your billing system. It goes WAY beyond just having SSL and encrypting the information in the database. You also have to monitor access, detect intrusions, have systems in place that can notify only affected people in the event of a breach (and determine what data may have been compromised), etc.
Then, there is physical access to the servers, the network, etc. This means a locked cabinet that is not shared on servers that you own where the physical LAN is also protected. Compliance is not going to be cheap, or
Really, spend every effort possible to offload this to a third party. The liability alone is simply not worth the risk unless you're talking transactions that amount to hundreds of thousands of (insert your currency here) monthly. In that case, the fees you save might justify bringing on the talent needed to implement and monitor systems that store the information. You'll need:
- Systems programmers (you will need kernel and file system level auditing hooks)
- IDS/IPS gurus (unless you love vendor lock-in)
- 24/7/365 staff to monitor the alerts generated from the systems that the experts designed. These people aren't cheap, they make the decision to pull the billing plug or report a bug in the algorithms that you use.
And then again, you could offload all of that to a third party, quite cheaply.