We frequently hear about credit card data that has been stolen from some ecommerce site. Usually the thief cracks their way into the records, or the information was inadvertently exposed due to ignorant coding and lax quality assurance. This has led to an emphasis on hardening servers and software. SSL has become mandatory. Certification firms provide vulnerability detection services allowing ecommerce sites to display a "hacker safe" badge touting their security. Password have become less crackable, with the ubiquitous "at least one uppercase, one number, and one special character" requirement. We wrap our database queries in code to thwart SQL injection. Our software constantly warns us not to give out personal or financial information over insecure channels.
Those are all well and good, but truthfully, they are rendered futile by the development practices of ecommerce web site owners and operators.
Development of websites has become globally distributed and is often performed by the "virtual corporations" we expected to arise from our networked businesses. Often an ecommerce site is created by many developers, many of which don't even know the others exist. A typical case could be the design done in San Francisco, the graphics in Seattle, the database in Houston, the payment gateway in the Philippines, the customizations in India, the integration in New York, and the hosting at the cheapest possible place that the owner can find.
To pull all these disparate resources together the website owner needs to give these far flung developers assets and security information. They need database connection strings, admin logins, SSL keys, FTP logins, hosting provider access, domain logins for terminal services, source code, and database backups.
This is where it all breaks down.
As a business operator bent on making money they handle these resources themselves, or delegate them carelessly. They are interested in having their ecommerce site developed for the least cost possible, not in the security of their customer's information, at least not unless it affects their profit margin. They often don't even know the nature of what they are providing to developers. Consequently they potentially expose their customer's information at every stage of the development process.
I have seen entire database backups, with thousands of credit card numbers, sent through email. I've been forwarded all the security information available because the owner did not know, and can't be bothered to know, what particular credential I needed. I have been provided with logins that were meant to be temporary but still work two years later. I have submitted code that was never reviewed by anyone other than me.
Often these exchanges are in the form of, "I need X done on my current site, here's all the information I have. I don't know what most of it means, but I'm sure you will." Enclosed is every possible login and password they have created or been given.
Often this information is provided before, as a hopelessly conscientious developer, I can stop them. Asking them to adopt more secure practices is asking them to incur cost. Cost they cannot afford because most of them are hanging by the thread of their current Google ranking.
So realize that every time you submit your credit card number to a website you're risking it being exposed to some random developer in some random country. They give away the keys to their kingdom to whoever can get them what they want the cheapest and fastest.
It's disconcerting how little this vector for potential security breaches is discussed. Is this a development community dirty little secret? Are we so thoughtless that we just take care of our little chunk of the project, take our money, and the greater good be damned?
I write ecommerce sites for a living. I wouldn't submit my VISA number to 99.9% of the sites on the internet.