To be honest it, even if they say it is for security. It has a feeling like "maybe they will forget to remove their CC info if they stop playing".
There is nothing that will be forgotten... And they are not hiding this fact.
Months back StormShade made a very detailed explaination on how and why this works like it does.
The fact remains that while it may seem like Cryptic is the one storing your CC info it really is not.
It's just too expensive to run tier own CC gateway for as many customers as Cryptic is handeling, so they run it off a external handler.
The reason for this is:
- Extensive security requirements.
- Massive databases.
- Development time.
What they do, is register they payment methohd(s) you used to pay for STO, the card type, and the last 4 digits of your CC, to display on your page (my geuss is for cross reference for people who have more than one card... Thats it. So there is no vital info on the Cryptic servers about your CC.
Having handled webpages with CC myself, this is a pretty routine method of doing things.