Re: OK, hands up ..
Right now I'm coding the card-taking bit of a site I'm developing and no bloody way, my non-technical business partner wanted us to handle it all in-house to reduce transaction costs but I refused to. No way I'm being responsible for that sort of stuff.
We're using a proper/expensive card processing company, storing nothing card-related for one-off payments and only storing a token to re-identify customers for repeat subscription charges, and I'm being super-paranoid about that, Azure Key Vault for the db connection string and authentication key for the card processor, proofs against sql injection of course, custom obfuscation of the tokens and key itself (because why not), super-locked down privileges about which users can initiate financial stuff (not the ones used by interactive sessions for a start, not even admin users!) and I'm still looking around to see what else I can do.
The idea of leaking people's names and emails is scary enough, even for our small user-base, but card data; jeez, that's terrifying.