One of my customers was going through the PCI DDS compliance recently and discovered that the cloud service they are using for CRM is not secure enough to store the cardholders data for taking payments at the later stage. He told me that they decided to keep that data on their local server (probably in Word or Excel document). I advised not to do that so he asked what if we used the password managers like Keepass to do that. While it is better that plain Word or Excel document, I believe that it is not the way to do it. They do not have online store but I was wondering that if they set up one and make it private so only employees can access it then it would be more secure?
Do you know what is the best way to do it? They do not want to store the PIN numbers and will call up for that.
I would prefer something in the cloud which has been designed for something like that because my customer is small business and doesn't have budget to get all the security appliances required to be quite secure.
Can you advise please?