Payment card details
I always find the idea that the merchant stores payment card details rather worrying. Do they store enough details to facilitate fraudulent debits?
Here in NL they've found a way around that: most web shops, etc. use the iDEAL system. Basically the customer indicates which bank they use, the merchant sends the transaction details to that bank, the customer uses the bank's usual method (token, etc.) to approve the transaction, and the merchant receives the bank transfer. So the merchant simply doesn't have access to data which could be used fraudulently. Costs the merchant EUR 0.29 per transaction I think. Just saw that there are also overseas payments processors which support the system.
But obviously depends on the banks agreeing to cooperate which is perhaps less likely in the UK business environment.