Everything is encrypted with high grade encryption, salted.. etc etc.. Comodo "green bar" SSL, firewalled... We had it audited by a bank auditing company. It exceeds banking compliance standards. The main site is just a standard http .. the banking area (on a differing server cluster) goes to the secure system.
and then I found this from the signup page...
password must be 6-12 characters
Are you kidding me? You are limiting passwords to 12 characters? And you consider this sufficient security? Sounds to me like you're storing the passwords in plaintext.