The problem with this is very similar to the problem with the company a while back that offered IP stripping services whose name I cannot remember. Th ecompany running the tripping servers would still have access to the data.
The people who would be willing to pay for this service are going to be a bit paranoid about their identity or records (say Bill Clinton getting a membership at a pr0n site). Those people will be no happier knowing yourcompany will have that information. To be truly effective you need to be able to be audited to verify that you (the company) has no stored record.
Of course, for things such as credit card transactions this gets EXTREMELY difficult as not keeping a record of credit card transactions is, well, if not illegal, at least dumb as bricks.If you intend to issue the credit card such that the card is in a made-up name in your database and you bill the real person: your database is A) crackable via a variety of slow but eventually successful techniques, B)sepina-able, C) still a written trail to the paranoid (ie, so "Hot and Young" can no longer blackmail you when you run for Attorney General, your company can).
To make this truly secure and anonymous you need it to be double-blind. You cannot know what transactions your clients are making, but as they are your clients you need to be able to interact with them.
You may be able to work something out via private/public key encryption where the normal role is reversed - the encrypting key is made public so you can post data to someone's account, and the decrypting key is held only by the client (not you). All client records woul dneed ot be encrypted via the encryption key as they enter your system. (this still leaves you open to packet sniffing, but if you pgp the data between your system and client and send out random information to random addresses regularly this can be avoided, MAYBE. Actually, no, statistically it would still be possible to track down a regular user, but I diverge...) Th eproblem here comes from when you need to bill your client. If you leave amounts of purchases etc unencrypted it is still possible to track purchase patterns by watching where data moves and how much money is spent.
As described above the client has too much power because he/she is the only one capable of discovering how much he/she owes, and if the client defaults on payments that same client CANNOT be identified. If there was a way to hide the values of individual transactions and who the transaction was made with from the card issueing company (the one described above) while allowing that same company to know the balance at any given time, but not be able to track changes in balance there may be a solution. It would fall into writing a very interestig piece of code to do the transactions and then getting the code auditted. (Wow, code auditting, whata concept. I need to start codeaudit.com and make my millions, but back on topic) so that clients could be sure their information wasn't being tracked by your comapny.
This is a cool problem. Let me think on it some more and post again. In the mean time, hopefully my semi-incoherent ramblings will spark someone elses and before I get back the solution may be found.
The Entity Formerly Known as Frums
(Cuz someone nabbed my name on K5)
(I want it back :ţ)