I'm looking at the CC Payment module we're using from our Merchant and I've noticed this option:

"Store Sensitive Card Details Temporarily in Session?
Should the customer's sensitive card details - the Card Number and the Card CV2 Number - be stored temporarily in the session? (They'll be cleared from the session when the order is completed).

As standard, if a customer leaves the payment details page to go back to the shipping page or the shopping cart, or if they make a mistake when entering their card details, the module will restore most of the details entered, so the customer doesn't have to re-enter them when they come back to the payment page.

When this option is enabled, the Card Number and the Card CV2 Number will also be stored temporarily, encrypted in the session using a Blowfish algorithm.

If this option is disabled, neither the Card Number nor the Card CV2 Number are stored in the session. Customers will have to re-enter their Card Number and their Card CV2 Number in full any time they come back to the payment page (i.e. if they don't go straight from the payment page to order completion)."

I wonder, I wonder! We have this set to "Yes". Should it be "No" ?? Could this possibly be causing it?? I'm going to test run it.