there is no law regarding this.Correct me if i'm wrong but isn't it illegal to store credit card information in plain text? Or is that just a security convention for the smaller programmers who makes ecommerce scripts and not people like paypal and google checkout etc?
the next question is how good the encryption is...At least credit card information was encrypted.
When anonymous hacked the hbgary federal site it turned out that their databases were encrypted, but getting passwords for users accounts wasn't as difficult as the system designers would have obviously liked it to have been