I've been looking into using the System.Security.SecureString class to hold credit card numbers in memory while they are being processed. Has anyone used the SecureString class for holding credit card numbers, or do most just use the normal System.String class?
From a PCI-DSS perspective, there is no requirement to protect card numbers stored only in memory.
PCI states only that card numbers persisted to disk, or transmitted across a network must be encrypted. This is a common sense approach to the issue. Using SecureString will ensure that the string is never cached to disk, but as you say - its troublesome to use. This post has some good suggestions though: https://stackoverflow.com/questions/122784/hidden-net-base-class-library-classes#123141
In theory, protecting memory sounds like it would add strength, but in truth if a bad guy has access to the RAM, then its pretty much game over anyway.