[abdulqabiz]

@happyfeet, most of Indian companies have certifications (ISO and whatever), in practice how many follow things? I am not sure how they got PCI DSS, but I know - how easy it is to get ISO XXXX certifications.

Certification doesn't mean anything. In reality, whatever it takes to protect data, companies should do that; Even if it means doing things, which is not written in books.

@kamaal, I agree with you. CCAvenue must have had these since it's first version, they were fortunate no one ever tried sql-injection attacks on them.

It looks like either CEO is not technical or he is misinformed or engineers who implemented have no idea about hashing, encryption and other terms. I bet, most freshers or even experienced engineers here in India, would not know about sql-injection and storing passwords as hashes.

Having said that, there are brilliant guys here as well, hence all those R&D centers of Y!, Google, et al.