It's also intentionally difficult to gain access to the customer's card number on checkout. All the server is allowed to receive is a unique token representing the customer to complete the transaction with. Pretty clever, but I suppose not impossible to workaround.
