"Things have changed now; storing credit card data has come to be regarded as routine in the post-1 click, impulse buy Internet world."
Having intefgrated with several payment processing systems, I can tell you no one stores credit card information any more. At least in Europe. PCI-DSS regulations are very clear on this.
What we have now is a token we can use. The token is returned after a payment is made. You can keep this token int he DB to allow repeat purchases. This is similar to storing the credit card, but you can only re-use that token with the single payment processor company and give the original payee that money.
Pretty much useless for a criminal.
The liability for leaking a cc number is now with the payment processor, and they are generally held to a higher security standard than your average chinese retaurant chain.