I know this is an old post, but I thought I would give some headway.
The CCs are saved in the database, and the last 4 are seen by the customer and staff, along with the type and EXP. At some point, i believe it decrypts this information just to even show us this much, but i could be wrong. It does decrypt this information to run CC's.
Further, in the database is a table with the encrypted code, and an Id back to the current hash being used. Hashes are automatically updated every so often, with the possibility of more then one at any time being used. There appears to be maybe 1 master 'salt', to the multiple hashes.
I'm sure with the correct sequence, unencrypting for the sake of moving and importing elsewhere could be scripted easily.