That's not true. If CC data is passing through his system, their are things he needs to be aware of. You'd be surprised at the logs that are generated by people who don't store credit card information. Somehow, that unstored CC information winds up in a random logs directory, unencrypted and open for anyone to see.