In a dynamic GC-based system, the bits forming the cc number could indeed hang around much longer than the variable itself, and even get swapped to disk. A program that gained read-only access to memory or swapfile could scan for sequences that look like cc numbers and have a valid checksum, and might get lucky.

Obviously, storing it in more obfuscated form isn't quite enough, if it will be decoded before use. To make it work, you must not fully decode it! But, what are you doing with the number? You send it out the file handle one digit at a time. So, you could programmatically extract the first digit and send it, then the second and send it, etc. and never have the full thing stored in a Perl variable (socket buffers and such are another story, and a more general problem).

So, you could store the digits in an array or hash instead of a scalar string, and then it will already be scrambled when the memory is released, and not findable using the simple method discussed above.