Credit Card Details not Held, apparently.
This statement appears in CRC Terms and Conditions under the heading "Credit Card Security"
"When your order is processed your encrypted credit card number is removed from the web server.
This means that there is no way that someone can obtain your credit card number from CRC so you can order with confidence!"
So assuming this is a true statement, the card number is encrypted wherever it is stored. It states "removed from Web Server" and not database, so I would make the wild assumption that maybe the number is stored in Session for the life cycle of the order processing, and once complete the session is wiped.
This leads me to believe, again assumptions galore, that the site uses a 3rd party payment provider, which they integrate with via an API. The card details are entered onto their site, and then communication with a 3rd party server takes place "in the background".
This should mean that they should comply with the highest level of PCI DSS as they are both storing (in session) the details and transmitting the details to another location for processing.
I personally never handle card details in ecommerce sites I have developed. Far better to offload the whole thing to a reputable payment service provider, via a hosted solution, so you never have to touch, store or see the details ever. If your systems never have that data, then you can never compromise that data.
However, I must add that if you do use a 3rd party provider, you still need to undergo PCI DSS and complete a Self Assessment, and you are responsible for verifying the PCI compliance level of your 3rd party provider.
But I ask the question. Why am I made to jump through all these PCI hoops, scans and checks, but when instances like this happen with big e-tailers, nothing ever seems to happen. I bet if something like this happened to the little guy, there would be many lashes received.