Somebody is storing credit card data - how are they doing it?

Question

Storing credit card information securely and legally is very difficult and should not be attempted. I have no intention of storing credit card data but I\'m dying to figure out

Answer 1

Your assumption that the merchant must store the card somehow is incorrect. Most likely, the merchant is storing a token that it received from the payment processing gateway the first time you used the card. The token uniquely identifies the combination of merchant and card. Subsequently, you can make purchases from that merchant without supplying your card number again. If the merchant's database is compromised, the tokens are of little value to the attacker. They're only valid for that merchant, and they can all be canceled at once when the breach is detected.