They wouldn’t be hashed because hashes are one-way. They will be encrypted.

Pretty much all companies that aren’t payment processors will use a payment processor company to do the actual transactions. In order to be able to process credit cards you need to be PCI compliant which involves a lot of rules and regulations. Most companies don’t want to deal with that, and need to ensure that credit card numbers do not pass through their own servers.

What the payment processor does is they take the credit card info and give the company come kind of token that is associated with the card. The company can issue charges against that token. The token is only valid for that particular company, and can be revoked so it is no longer valid. That’s what happens when you cancel a subscription, that token gets revoked, so it can no longer be used. This keeps is separate from your actual credit card number, so you don’t need to replace your card to ensure it can be charged.

Even with all that, it’s still technically possible for an employee at the payment processor company with sufficient access/permissions to get the details. But that’s true with in person transactions too. People give credit card numbers over the phone all the time, and there’s nothing stopping the person taking the call from writing it down. And checks are even worse. because there isn’t any regulation on keeping that information secure at all.

The entire banking industry works more on fraud mitigation because at a fundamental level prevention isn’t possible. It’s why banks have sophisticated AI systems to detect “suspicious” transactions. I’m pretty sure they also help track down thieves and fraudsters because it’s in their best interest. The overall idea is to try to make the risk not worth the reward.