Hang on...
" Payment card industry regulations require merchants to follow a maze of procedures designed to protect card data as it's stored on servers and zapped to authorization services"
Then why do the authorisation services _let_ you connect to them without using SSL or similar?
Doesn't excuse these people in any way, shape or form, but still...