Originally Posted by
EvilDoctorK
Yeah I think from reading that it the script would only have grabbed ******* 1234 from the card number field .. it would have grabbed the CVV as that's entered in .. but if this is correct ( and it sounds convincing) then I don't see how they'd have gotten the full number from a 'stored card'
If the stored card number were pulled into a hidden field on the payment form, prior to posting to the payment gateway, that script would grab it.