I'm the person who created the IRV2 thread, and should make a couple things clear. First, there was no issue with FMCA's credit card transaction data. I never made that statement -- as someone else has said, it's important to read the entire post, not just skim it, especially if you see something alarming. The security of their credit card processing is not the issue at all.
The issue is the simple fact that it's always a very bad practice -- and a completely unnecessary one -- to store user passwords in plain text, even if your credit card processing meets all requirements. Why? Well, because if your database gets compromised, the bad guys now know who you are (your email or other identifying information) *and* a password that you use. Do you use that password somewhere else? A bank, perhaps? The bad guys will employ their bots to try various obvious combinations of user information and that password at every place they can think of.
That's why it's always a bad idea to store passwords in plain text. That's why I recommended (in the original post) (1) you change your FMCA password to a unique one, so that if FMCA gets hacked in the future, the bad guys won't be able to use it elsewhere, and (2) you change the passwords on all other accounts that were the same as FMCA, so that if FMCA has already had a breach and just hasn't realized it yet then your other accounts will no longer be vulnerable that way.
