We have to be sure that this temporary data will be persistent and that deletion is compliant with the DoD's security standards (wiping data on the disk / avoiding storage on the disk).
I thought to store the data encrypted with the RIJNDAEL 256 algorithm + a crafted secret into memcache but I'm afraid of data loss / corruption.
I thought as well to MySQL and the memory heap storage engine but I don't know the reliability of the thing so far.
Any thoughts on the subject?
It's probably more trouble than you're expecting. As soon as you persist card details to disk the whole weight of PCI-DSS bears down on you. That means your whole network (and indeed company) comes under close scrutiny to ensure it is secure and follows strong best practice advice.
Using AES (256 bit Rijndael) is a step in the right direction, but the actual encryption is trivial compared to the difficulty in organising a PCI compliant key management system. Keys must be split (dual knowledge), cannot be stored on the same box as the data, must be able to be rotated at least yearly, and so on. Getting key management right is challenging.
Ultimately though, you will need to prove whatever solution you have come up with is PCI compliant. You prove your compliance by enrolling the assistance of a QSA (Qualified Security Assessor). The best advice would be to bring in a QSA now, so that they can advise on what approach to take, and guide you around the pitfalls where necessary.
Bringing in a QSA when the project is complete is a false economy, because if they fail your solution, you start again.
Is storing card data absolutely necessary? There are vendors (Braintree for example) that will process cards without requiring your site to store card info, thereby relieving you of the burden of being PCI compliant.
