Using a processor who stores the card number outside of your infrastructure (ie. Stripe) can also be helpful.

Even better to use someone that isn't your payment processor, so that should you need to change payment processors you don't also have to re-acquire all the billing info from your customers. You can use Stripe today, PayPal tomorrow, and Braintree the next if that's what works best for your business.

Card vaulting as a service: https://spreedly.com/ ($10/mo for up to 5000 cards)

Isn't that just adding one more point of failure? I don't trust myself, I barely trust Stripe or Paypal, and I've not even heard of spreedly.

There's always going to be single points of failure, but which is more likely: you want or have to change payment processors (you've been terminated, your fees have gone up, you want to switch to a lower cost provider) or you want to change flat-rate vaulting services? Plus, Spreedly will give you your data if you leave, whereas there is no way to get stored billing info out of most payment processors.

Until they have a security breach.

Better rely on someone who's sole job is securing that info than doing it yourself.

Storing credit card info just helps make you a bigger target. If your a small company, better let someone else store card info, let them be the target.

Also you're fined by the credit card companies if you lose card information. I believe it's a per card fine, so it get expensive really quickly.

Actually I don't get why any company would choose to store credit card information, when most payment providers will do it for you.

Stripe is amazing... I trust them, someone hacks me, awesome, you got password hashes and stripe customer keys, all worthless.

Not exactly worthless, depending on the hack someone could still charge an awful lot to your customers and make you have a bad day.

But yes, significantly better than other situations.

True, but I'd rather fix the problem that got them in, force reset of passwords, and delete all customer keys and require them to create new ones than be like "uhhhh, our data was hacked and your credit card is safely encrypted... But we had the encryption key on the server too, oops"

But you still might need to consider data residency issues and making your customers aware of where their data is being stored.

Yes

But if that happens, it's not your responsibility (at least not 100%), it's theirs

Following the traditional responsibility/accountability dichotomy: They are responsible for storing the cc number securely but you are accountable when something goes wrong (because you gave them that task)

Much like Linode are responsible for hosting my clients site but I sigh am accountable when something goes wrong.

In what ways are wire payments better than using credit cards? In wire payments aren't you using the actual bank account numbers along with routing numbers which is also very sensitive information ?

Also I do not think, but I am not sure, that fraudulent wire payments/transfers are reversible.

They're not. You're right.

Wire transfers often are not able to be undone once they happen (and are accepted by the other bank). This is the reason why there's so much verification that happens in wire transfers. (I helped develop 2nd factor authentication used for authenticating wire transfers for a financial company)

Credit card charges can be reversed.

http://www.reba.net/news/wtransfer