Thank you for the input, My jaw dropped when I saw my credit card number in my cookie.
The problem is that I need to replicate this behavior using cURL.
I spoke with a couple of the tech people at Intuit and this was their response.
It is true that the card # is set in cookies, but is also cleared as soon as we receive a response from PCI token server. That's the advised approach to tokenize credit cards.
The Server will try to delete the cookie by setting expiration date to the past. It will work only if you create the cookie under ".intuit.com" domain, so you might need to use that domain if want to rely on server's logic.
In any case, I would strongly recommend to do your own cleaning job as soon as you received a token or an error from the server. The first thing that you need to do is to clean the cookie. Actually, consider this as a requirement, because this is what I've seen in other apps.
Basically if something goes wrong, you're credit card number will sit on a cookie.
And if you do use Intuit, it's up to you to make sure your cookies are cleaned.
Kinda makes me nervous.