|There's more than one way to do things|
There is no security difference between a cookie and a hidden field in a form on the client side. They are both likeley to be stored on the hard disk. Having the key in the form just binds it closer to its use so it is less likely to leak out. If you were careful you could get the same effect with cookies -- using path etc.
It does not matter if someone has the key on the client machine, because the CC# is on your computer. And if they get into the database they will need the key from each client to get the stored CC#s.
Yes you can run a cron job to remove the old entries.
A picture is worth a thousand words, but takes 200K.
In reply to Re^3: Storing credit card numbers temporarily (OT)