> Interested in exactly when it becomes impractical.
Having multiple payment service providers, for example (or the plan to do so in the near future).
Another example would be complex legacy systems (especially in the travel segment, constellations between various service providers get complex quickly).
> I'm prepared to go to quite an extraordinary amount of effort to make sure PANs and cardholder data never comes near any system I am responsible for.
No objections there :)
> you can't actually handle payments without storing CC numbers.
Now you're putting up a straw man. It's definitely not impossible, but in some circumstances, it can be very hard.
Also, somebody will have to store the PANs in a database in the end, even if it's just the payment service providers themselves. There are much less payment service providers than merchants out there, but by the same logic, that makes them a much more valuable goal for attackers.
Having multiple payment service providers, for example (or the plan to do so in the near future).
Another example would be complex legacy systems (especially in the travel segment, constellations between various service providers get complex quickly).
> I'm prepared to go to quite an extraordinary amount of effort to make sure PANs and cardholder data never comes near any system I am responsible for.
No objections there :)
> you can't actually handle payments without storing CC numbers.
Now you're putting up a straw man. It's definitely not impossible, but in some circumstances, it can be very hard.
Also, somebody will have to store the PANs in a database in the end, even if it's just the payment service providers themselves. There are much less payment service providers than merchants out there, but by the same logic, that makes them a much more valuable goal for attackers.