CSV is so deceptively simple that people don't care understanding it. I wasted countless hours working around services providing non-escaped data that off the shelf parsers could not parse.
My former employer was a lot more YOLO than that. When I joined (in the mid 2000s) there was no https on the website, passwords stored in plain text, no backup strategy, etc. But they printed money with their system.
I think there was no realtime CC processing back then. In my last job I found artefacts like fax forms where they would write down collected credit card data (from online subscriptions) to be sent to their processor. To have at least _some_ safety they would just check [1] if the CC number is sound.