Security resaons
Cos if it's the NSA doing it then it's the National SECURITY Agency therefore not economic by deniability/definition/whim/etc
Mine's the one with the Noam Chomsky book in the pocket.
Mandiant boss Kevin Mandia says he has cut back on email and only uses an iPad to check his inbox as he fends off counterattacks from hackers. In 2013, the company published a landmark report on the so-called APT1 espionage crew: the detailed dossier claimed Shanghai-based People's Liberation Army Unit 61398 had hacked and …
"I thought that they weren't allowed to store credit card numbers, never mind in plain text?"
Why would they not ? Any regulation ? Not.
So, of course, everyone is doing it, and of course in clear because it's easy. Don't be fooled by the fact you see stars and no number in the portal, it's just a front-end illusion, it's all clear in the DB behind). I've seen only few exceptions around my decade long of online purchase, for services that connect to real banks instead.
Just to name a few:
- Amazon is storing your CC numbers
- Steam as well
- Paypal as well
- 98 % of the french local online purchase sites
That's why you must NEVER put in your real CC number, and rely on special secure payment like E-visa.
Actually there is a regulation: it's called PCI DSS.
Violation of it can result in increased transaction fees or (more likely) a suspension of your merchant account. (https://www.pcicomplianceguide.org/pci-faqs-2/#11)
PCI DSS Does require that merchants not store the full CC number unencrypted. (https://www.pcicomplianceguide.org/pci-myths/#myth9)
That said, just because it's the rules, doesn't mean it's followed.
For all we know the compromised server was storing the credit card numbers on an encrypted hard drive or encrypted database store. However if the data was extracted whilst the system was running this provides little protection against getting the unencypted view of that data. Afterall if the application needs access to the credit card numbers to function then encryption is only a minor hurdle - if the app has the key can decrypt them then so can attackers.