Serif do NOT save your credit card details. We save the last 4 digits of the 16 you entered, and your name, but not the security number, and a tokenized version of the transaction. This is standard practice and it is not enough to do anything further with.
To give some background, all responsible merchants shouldn’t be storing credit card information for over half a decade now…instead they swapped to credit card tokenization where a token is stored but the credit card information no longer exists. Our order gateway is Stripe, who are fully PCI compliant. For PCI-DSS compliance since June (summer of 2010), most Merchants started the journey of not storing credit cards natively in their database, some store the last 4 digits and then may store a token that links to the accompanying payment information to the gateway processor. As the token is only undecipherable using a private Serif owned Stripe key, that token would be useless to anyone but Serif.
We have to store this token to show you the card that was used to place the order and for legal tax reasons. However we do not have to use offer that token for your next purchase. At the moment you can replace a card when placing your next order but not remove the used one from being offered again (i.e. "delete the key" outside of an order). I think it is a very sensible suggestion to add the option to remove that token from being available future purchases by you. Being a new shop we have had a few useful suggestions like this that we will implement.