Re: Should not be allowed
Maybe I'm missing something,
Err yep...
but when you pay by credit card you don't pay directly the seller, you are redirected to the bank site which processes the payment.
That's not normally how it works. You enter your card details into the vendor site, which then passes those details to a payment verification gateway. The payment verification gateway either approves or declines the payment, based on cardholder details, card number and CVV.
If the payment verification is successful then at this point in the transaction, there optionally may also be a call to the bank's card verification process. Successful payments receive a token which is stored in the vendor database against the transaction ID to action refunds or repeat purchases.
Why are they allowed to store in their DBs the credit card numbers?
They aren't. Some cowboy outfits may do, but it's not common. If it's a vendor where you register an account, the vendor may store the last four digits of the card alongside the transaction token and user details, just so you can re-use the card for future transactions, but the four digits are simply there to display to the user so he/she can identify the saved card, not for use in transactions.