The servers have been "hacked" in the past and credit card details exposed - however they are hashed and salted and are very hard to be extracted. Even if they gave them out in plain text, they do not store the CVV (3 digits on back of card) which should always be asked by anyone taking a card transaction.

The xmas "cache" issue where you saw a page for another user, was just that, you saw a page - you had no interaction with the account and weren't logged in AS that user. You couldn't make a purchase on their account as you were still logged in as yourself - just looking at a cache of someone elses page.

On the downside....

3D secure is also very poor on "worldwide" sites. Where users may have cards issued by banks who deal in more than one country.

It's also not on every card. The main Visa/Mastercard issued banks can use it, but there are dozens that can not.

As the site isn't on Valves servers and redirects to another site, you WILL get dozens of people not purchasing as it looks 'strange' to new users who don't know what it is!

Hi,

Its actually just an example, I know about the encrypted info and page that shouldn't be cached. However I knew very little about 3D secure. Can you explain why its act very poor for site that accepting payment from worldwide?
AFAIK the bank will give a link to the server and the user get redirected to it. Once the user entered the information required, the bank will proceed with payment and give status to the server. (I only use 3D secure once or twice, not actually remember the flow).

As the last sentence on your post, every card owner should aware the card issuer, so its not a problem at all and not a strange; plus card that doesn't have 3dsecure enabled should proceed normally.