Regardless of how they're stored, people should be worried that they're sending passwords via email. Passwords (especially ones that can cause financial harm) are considered PII and sending it via email (unencrypted transmission) is illegal in Massachusetts and probably a few dozen other states.
Um, what. I most certainly have checked out of Newegg without re-entering my card number. Even if they store the numbers off premises for PCI certification reasons, if a Newegg password lets someone log in and buy a hundred flat screens on my account, that sounds like financial harm to me.
I did not know this. Thank you for pointing it out. In that case, it's probably not in violation of MA law. It does protect against grey areas that may allow malicious activity against you, e.g. billing address, etc, but it would be a hard sell and not worth anyone's time. Though, it's worth pointing out this is exactly why companies do everything possible to avoid storing PII (e.g. credit card info) even if it's to the customer's disadvantage.
