Former Verifone employee here: While it's technically true that pay-by-reference is a thing most payment processors offer it's not supported by most payment processing software and most processors treat it like a premium service. The vast majority of recurring credit card payments are sadly still done by storing an encrypted card number and decrypting it every time payment is made.
Adding insult to injury, most payment processing software also only conforms to the bare minimum encryption requirement meaning your credit card information is only encrypted using 3DES, keying 3 (meaning a whopping 56 bit key). You can attribute this poor security to laziness since that's the same encryption mechanism PINpads use so the CC co devs already had that code laying around to repurpose.
Of course I have no idea what software Dish uses, who their processor is and what those two things allow/support. Dish may actually be using proper pay-by-reference transactions or they may not, I have no idea.
None of this changes the fact that a payment system where you must reveal your secret key (cc#) in order to spend is inherently flawed, poorly designed and will be frequently compromised at every link in the chain. It's just a bad security design from the ground up.
Adding insult to injury, most payment processing software also only conforms to the bare minimum encryption requirement meaning your credit card information is only encrypted using 3DES, keying 3 (meaning a whopping 56 bit key). You can attribute this poor security to laziness since that's the same encryption mechanism PINpads use so the CC co devs already had that code laying around to repurpose.
Of course I have no idea what software Dish uses, who their processor is and what those two things allow/support. Dish may actually be using proper pay-by-reference transactions or they may not, I have no idea.
None of this changes the fact that a payment system where you must reveal your secret key (cc#) in order to spend is inherently flawed, poorly designed and will be frequently compromised at every link in the chain. It's just a bad security design from the ground up.