There are ways around legacy systems not storing certain characters to database field sizes that range from running delegate password serves to hashing passwords into something that an be stored on the legacy system. The one thing this thread does get at is the money involved. To Amex the costs and risks of their "weak" password requirements don't outweigh those of implementing a more secure password system.