True. But in any case, the simple PCI rules state that passwords for any account accessing the payment systems can't be stored or sent unencrypted period, no matter what.
There are many things where what's completely okay for 99% companies is unacceptable (as in, a valid reason to break contracts and incur penalties of size that can bankrupt the company) for payment processing companies.
So what does it say about the company and how they treat security? What are they doing in the parts that are more tricky to get right and less visible to customers? Have all their systems, including that one, had a proper external audit recently - and if yes, why wasn't it noticed?
They don't know the security rules that are mandatory for them?
They intentionally break them for some reason?
They are simply sloppy with security and don't check if 100% of their systems are done properly?
That some systems that they give their customers for testing are low-security and don't matter, but "don't worry everything else is done with a completely different attitude" ?
They were going to fix it but didn't notice it before the feature was already live?
Can you give me one single sane reason that would excuse them?
There are many things where what's completely okay for 99% companies is unacceptable (as in, a valid reason to break contracts and incur penalties of size that can bankrupt the company) for payment processing companies.
So what does it say about the company and how they treat security? What are they doing in the parts that are more tricky to get right and less visible to customers? Have all their systems, including that one, had a proper external audit recently - and if yes, why wasn't it noticed?
They don't know the security rules that are mandatory for them?
They intentionally break them for some reason?
They are simply sloppy with security and don't check if 100% of their systems are done properly?
That some systems that they give their customers for testing are low-security and don't matter, but "don't worry everything else is done with a completely different attitude" ?
They were going to fix it but didn't notice it before the feature was already live?
Can you give me one single sane reason that would excuse them?