[IWillForgetThis]

My first job out of college (2007) involved a lot of removal of early 2000s one-off custom payment processing code. Access DBs full of years worth of credit card numbers, code that just emailed the credit card details to the site owner without keeping a record, etc. It was definitely a different world. Most of them, I just switched to PayPal shopping cart and checkout. In retrospect, I didn't know wtf I was doing and probably shouldn't have been working on it.

[iamben]

Yeah, I worked for an agency around the same sort of time and saw exactly the same kind of thing.

I remember one site that saved all the CC and order details to a plain text file in the web root. This was opened using an FTP programme every evening and someone would run the numbers through the machine in their store and post out the orders...

[verst]

This surprisingly sounds very much like the actual ACH system still in use today in the US (from my limited understanding)

[michaelbuckbee]

If it's any consolation, the entire industry was in that state: poor controls, poor encryption, and security, etc.

[a2tech]

"was"? It still seems like a confused mess with lots and log 'security' that people ignore

[michaelbuckbee]

Sure, there's always room for improvement, but at the very least SSL/TLS is ubiquitous now, there actual TLS versions are much better, developers generally view holding onto CC data directly as toxic (the growth of things like Stripe checkout, etc.)