Here's the link to that work item: http://nopcommerce.codeplex.com/workitem/9959
I noticed that "Impact" field for this is set to "Low." I'd argue that, due to PCI compliance and security concerns, it should be assigned a higher impact.
Based on my experience with other shopping cart systems (what's orthodox for most), plus research on PCI compliance, it seems like the behavior should be the following
1. If Manual Processing is used, the CVV is NOT stored at all (the credit card companies really do NOT like it being stored at all)
2. When processing an order, clicking the "Mark as paid" button causes all BUT the last 4 digits of the credit cart to automatically be overwritten (typically the numbers are overridden with X's as placeholders), like this: XXXX-XXXX-XXXX-1111
Retaining the last 4 digits helps by allowing customers to identify which card was used for the puchase without revealing the whole card number.
Any thoughts from other users, especially based on their interactions with the banks or credit card companies?