I no longer send my credit card number through emails, but have no problems sending it to encrypted sites.

Even this isn't enough sometimes.

If my friend Tod happens to stumble across this thread, he can relate a situation where his credit card information was sent through clear-text email, even though he went to an encrypted site to place the order.

Here's how it worked:

The encrypted site was just a "storefront" that had no credit card processing capability. Although they didn't go to the trouble of telling their customers this fact, and it looked like it was a fully-encrypted site because the proper "secure" icon appeared on the browser window.

In fact, this site didn't even handle the merchandise. They simply forwarded their orders, and the credit card numbers, to the real processing center. The way they did this was via clear text automated e-mails to their processing center.

Normally, Tod wouldn't have known about it if it weren't for the fact that, when he placed his order, the real processing center was having mailserver trouble. And because of the way they handled the orders, the return address on the email was the customer's address, not the storefront's address.

So, Tod got an "Undeliverable mail" bounce of clear-text email that contained all of his personal data, the details of the order, and his credit card information.

Needless to say, he wasn't happy about it. Nothing bad came of it, but it makes me wonder how many other e-tailers do it the same way: lure you into a false sense of security simply by using an SSL order form page, but then they're careless with the data at the back end.
_________________________
Tony Fabris