Our systems, both xTupleCommerce and the xTuple REST API, require an SSL (Secure Sockets Layer) certificate to function. SSL is a standard security technology for creating and encrypted connection between a server and a client (for example, between a user's browser and the webserver). It allows sensitive information to be transferred in a secure fashion. Without an SSL the data would be sent between the server and client in plain text, which is not secure. In plain text an attacker could intercept the plain text data and have access to sensitive information.
Neither the xTupleCommerce system or the ERP stores plain text credit card information in the database. Both systems integrate with Authorize.net via their API. The same SSL technology is used to encrypt and send information to and from Authorize.net and we rely on Authorize.net to store credit card information in a secure fashion.
When storing a credit card on file we use Authorize.net tokens that represent the credit card information and customer data. On the ERP Postgres database we use the Blowfish Security algorithm for encrypting sensitive information. This ensures that the customer information is never passed or stored as plain text, but rather a encrypted string of letters and numbers that serve as a key to unlock that information. Without a direct connection to the Authorize.net system through the API integration, the keys are worthless which prevent attackers from obtaining the sensitive information.
Authorize.net - how credit card processing works
Authorize.net - storing customer data
Authorize.net API Reference Guide
Understanding PCI Compliance
Postgres Blowfish Security Algorithm