Just FYI, checking the "do not store card numbers, even at checkout" works great for us at the moment. Since it only stores the last four digits of a card, I'm still able to process the payment as well as issue refunds to users when they need it. But I can't remember if that's the default, or if the default is to store the entire number. (It's been a while since I installed UC).

In any case I think if someone is storing the entire number there should be encryption in place; you may even consider encrypting anything that gets stored in the cc_number column.