Dark pattern abuse at its finest. You find this on all third party webstores that have decided to affiliate themselves with Shop. This has been spreading like the plague and infected a lot of webstores I used to use. If you don’t notice or forget to click on the “not now” at the bottom of the page they will create a Shop account that contains your email, phone number and credit card information without further warning. Whoever hacks into their database is going to hit a goldmine. You might have a Shop account without even realizing it right now.
And of course there is a 30 day delay for account deletion for purely made up reasons.


Hate to break it to you, but placing the order at all is already giving them all that data.
It’s more about consent to save the data rather than just passing it on to the payment processor. Different attack surface, as getting it without it being saved would require their codebase be compromised or some sort of man in the middle attack (which is difficult/impossible with encryption, if it’s done right), or compromising the payment processor themselves. If the data is saved, all of those work plus any brief security breach that gives access to the database, which will be the most common type of breach out of all the ones that could expose the CC info.
Sure they could still be saving it, but then if there is a breach, it will be discovered that not only did they have a breach but they made it worse by saving financial data without user consent, which would increase the damages for the class action suit for the breach. In theory, at least, hard to tell how it would work out with today’s level of corruption.