Amazing what a little regulation does for requirements! After looking into PCI requirements, I also found that CSC (or other authentication methods) can never be stored. So when I brought this to the attention of the department head and suggested we look into our options with the lawyer, he quickly rescinded that particular requirement. Turns out, the CSC is not required by our CC processing software, that requirement was just put there "just in case we ever needed it."

We can support the other PCI compliance requirements, so when I began going through the PCI self-assessment questionnaire with the department head, he had the brilliant idea that maybe it would be better to have the data entry employees also do the CC processing. That way, we don't have to store ANY CC data, just store the confirmation code from the CC processor.

Of course, that's what I initially suggested. But the up side is that the basic table structure that was my original question does not change, and the security considerations have become a lot more manageable.

Thanks again for all the great input.