Stripe was just getting big as I left for a job in edtech so I never had a chance to work with it. Excuse my ignorance but does it require you to send your card info to the vendors server rather than directly to stripe? If that’s the case you are still wide open to basically every form of bad handling.

Just because a vendor doesn’t NEED to store your CC doesn’t mean they’re not out of sheer ignorance or incompetence.

Nope, it's designed so that the card details never touch the vendors server. They don't see it to be able to store it.