Question about quote from X-Cart manual.

...your customers' data stays protected even if your database gets stolen - provided, the malicious person does not have access to your config.php file and has not stolen your Blowfish key in some other way.

What the manual is referring to is the simple fact they have implemented "Blowfish" encryption when storing sensitive data, such as credit card information and passwords, within the database. Keep in mind if your using an alternative processor like Authorize.net or such and have no real need of keeping a customers credit card information on file, like using X-Cart's subscription module. Majority of the time if you are using an online credit card processor than there is really no need for yourself and the processor company to keep a copy. Keep in mind if you are using a manual processor than obviously you'll need to store the customers credit card information, but I would HIGHLY recommend you remove the customers credit card information after the order has been successfully processed and the customers happy.

You can edit config.php and completely remove the storing of Credit Card data within X-Cart. Look for the variable $store_cc and set it to false, it is set to true by default. Thankfully the default is NOT to store the CVV2 security code, which is highly discouraged by Visa and Mastercard themselves.

The alternative is to periodically remove this information from Customers profile and Order data. Within X-Cart's administrative area, go to "Summary" and proceed to "Credit card information removal" I would recommend clearing both available options.

Keeping sensitive data as far way from anyone is the best fail safe method to keep your customers sensitive data "secure". If the processor gets hacked and your customers data does get stolen (highly unlikely) but the faults with them, not you.

The last sentence of the quote is referring to the $blowfish_key that is generated upon installing X-cart is held within the config.php file, this is another reason to keep up with all security patchs, not just X-Cart's to help prevent any loss of data and damages. If a malicious person did get a hold of your database but NOT the blowfish key it would be very difficult for him to even get one number out of the database. No cypher really is fail safe in a sense because brute force attacks and other means can be deployed to decrypt. It does require quite a bit of time and processing power to achieve this.

Some references:
Wikipedia on Blowfish
My previous 2004 security recommendations for X-Cart
X-Cart related article

X-cart Cart-Lab.com Resources, and More!