Re: no payment information was among the mix
So, uhh, yeah. This has been a security feature at a LARGE number of places for almost two decades. Credit card data is stored with a separate company, who provides only a token. That token is stored as part of the user record. The separate company actually processes all credit card charges, and only accepts connections from the IP address that the merchant uses for those purposes, and only credits the merchant's account.
So this one, I believe.