In theory, I'd rather have it in a cookie than unprotected in a database. In practice, anyone doing something that stupid will have XSS exploits rendering that information available to anyone running an exploit.
While security and encryption are definitely not easy (and far less so when you're talking about adhering to PCI-DSS Level 1, which somehow actual banks never seem to do), there are plenty of well-tested libraries that make it significantly easier. Having said that, I'd prefer to see the data stored in plaintext - obviously bad - rather than using easily-broken encryption (short keys, re-used keys, bad key storage, poor algorithm, etc) which looks OK at the surface but provides a serious false sense of security.
What really blows my mind is that Visa and Mastercard never seem to require PCI certification for their issuing banks. Being deep in the industry I realize how many middlemen and layers of misdirection there are with this kind of thing (usually to get around these security requirements), but Visa's diligence process is actually quite thorough - at least in the US. I've been interviewed by PCI auditors, and my experience was that they were actually asking the right questions, and required demonstrations to prove your claims. But for all I know, that varies widely from auditor to auditor.
While security and encryption are definitely not easy (and far less so when you're talking about adhering to PCI-DSS Level 1, which somehow actual banks never seem to do), there are plenty of well-tested libraries that make it significantly easier. Having said that, I'd prefer to see the data stored in plaintext - obviously bad - rather than using easily-broken encryption (short keys, re-used keys, bad key storage, poor algorithm, etc) which looks OK at the surface but provides a serious false sense of security.
What really blows my mind is that Visa and Mastercard never seem to require PCI certification for their issuing banks. Being deep in the industry I realize how many middlemen and layers of misdirection there are with this kind of thing (usually to get around these security requirements), but Visa's diligence process is actually quite thorough - at least in the US. I've been interviewed by PCI auditors, and my experience was that they were actually asking the right questions, and required demonstrations to prove your claims. But for all I know, that varies widely from auditor to auditor.