Again, I don't see why the third party would be the one, nor needs to be the one, to store the CC to be used. Princess ought to be the one storing it in their System and all the 3rd party vendor needs is some sort of Medallion identifier for the guest so that when tapped in a store, the vendor 3rd party system knows that the customer/guest is authorized to make a purchase and the purchase details get transmitted to the ship system which can then bill the guest's on-board account (or provided CC). I don't know that we have definitive info that the 3rd party company actually gets readable credit card numbers, expiry dates, and CVV codes.