Following standards set by Recurly, Simple Renew implements a system for using encrypted billing tokens.
"Tokenization, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value. The token is a reference (i.e. identifier) that maps back to the sensitive data through a tokenization system."
Wikipedia, Tokinization (data security)
Simple Renew is designed to never accept either Credit Card Number or CVV number directly in PHP. The gateway implementations are expected to handle the creation and use of tokens generated in Javascript directly between the user's browser and the gateway site over a SSL connection.
This prevents any sensitive financial data from passing through the server on which Simplerenew is running. This limits the need for users of this application to go through any additional PCI certification as this is the responsibility of the gateway provider (Recurly).
For further reading:
- Tokenization Guidelines by the PCI Security Standards Council
- Recurly PCI Compliance (in particular the section on recurly.js)