They don't have to store it in plain text, but they do need to store it with reversible encryption (as opposed to hashing) so that they can use it to login to the bank's website.
Right, that's my point. There is no technical requirement to be stored as plain-text.
Though I would imagine that encryption, by definition, is two-way (encrypt, decrypt).
As an aside, do merchant account API services provide a secure-token service to store credit card information? That is, I enter in my VISA credit-card, click "save" and Amazon.com gets a unique token back that identifies this credit card. When I later go to purchase an item, Amazon uses this token to with VISA to charge my card? IIRC, that is how Stripe works, but I wonder if each credit card manufacturer now supports this, as part of PCI compliance.
