Insecure cryptographic storage.

To avoid problems:

Follow the Payment Card Industry guidelines for credit card processing.

Hashing passwords

There are many articles on the web suggesting that MD5 and SHA-1 are no longer considered to be strong enough algorithms for hashing passwords.
In fact if you type an un-salted MD5 hashed password into Google, there is a reasonable chance of finding the plain-text password.

Stronger hashing algorithms are available e.g. SHA512 or PBKDF2.

Here are some guidelines for dealing with passwords:

Some guidelines for using salt:

Although you should always use an open source or commercially available hashing library and avoid writing your own code, changing the way you use the hashing library helps security. For example, you could add part of your salt to the password, use PBKDF2 to hash it, then add more salt, do more hashing etc. Normally "security through obscurity" is not considered to be good practice, but in this case the technique reduces the effectiveness of rainbow tables and so increases your security.

Some interesting links: