We're developing a new piece of software (really just a single php script) that collects cardholder information and stores it in a MySQL database. Obviously we're taking every precaution with security (Firewall, Anti-Virus, SELinux, restrictive access to the machines), but we're trying to understand what steps we need to take next before taking it live.
As the client is a Level 4 Merchant (no actual transactions, just storage of cardholder information), what scans do we need to go out and find?
Obviously we'll need to have the server/IP scanned, but what about the php script collecting the data?
The fact that your client isn't actually performing transactions doesn't impact their compliance obligation as PCI/DSS applies just as much to card data storage as it does to transaction processing, infact if they are classifiable as a "Service Provider" there are additions obligations.
Depending on your relationship with your client and how you classify your software (a service/off the shelf product etc) you may also have additional obligations under PA-DSS which is geared at the developers of payment (incl just storage) software, and can get pretty hardcore if your selling something designed to be PCI compliant.
If you look through a copy of V2 of the spec all the requirements are listed, 6.6 explains what you need to do with public facing web applications ("independent" code review or application firewalling) for example.