This is a very loaded question with a lot to it as data can be at risk when it’s being transported or is at rest or in a cloud/on prem, but if they’re storing the info (like a saved card in the Starbucks app) it’s into an encrypted database. You’re using an interface likely two layers away. Typical system architecture for big company systems at a very high level usually go database on the bottom (single master resource) -> application layer (usually a few different ones that split the business process tasks) -> and the front end interface. Regardless of if it’s stored permanently the transaction process when you put your card into a site the payment merchant will securely transfer the transaction information with the data to their payment gateway. The payment gateway transfers the transaction information to the payment processor used by the merchant’s bank. Typical security measures (encryption, firewalls, DNS filtering, Etc) need to be applied and maintained but the process is designed to be secure and use and drop data then roll into a new transaction or process when memory is available. Bad actors grabbing credit cards from hacking a website isn’t really typically what’s going on when there are those data breaches and attacks on big companies like that, it’s usually phishing and social engineering behind it.