Originally Posted by Nexus Racing
I am not completely sure, but I believe it is against the law (in the USA) for shops to store the customer credit card info in an online admin for long periods. We ourselves purge the CVV codes right after processing each transaction, and we purge the credit card info every couple of days.
It is not illegal but I believe there are strict requirements to doing this, otherwise the card companies (visa, etc.) can refuse to do business with you and your merchant provider will pull the plug. However it is also somewhat difficult for them to prove that you are doing this so it is more of an idealistic rule/law.
Most point of sale systems will print the full card number and expiration date right on the merchant receipt, which is arguably an even worse place to put things, since they are so easily misplaced or stolen. This is part of what CVV codes were introduced, to add a "missing link" bit that is not printed on those hard-captured receipts.
Ultimately it is up to the merchant to make sure they are treating the customers' credit information in the sensitive manner it deserves.