What Kickstarter save is a unique token, ex. da39a3ee5e6b4b0d3255bfef95601890afd80709 (not a real token, just an example).
The token can only be used with the private / public key pairs that Stripe provided to them, so even if a hacker got access to Kickstarter's database, they would still need the private/public keys to make use of the tokens.
Also, my expectations are that only whitelisted IPs should be able to access Stripe with the key pairs of Kickstarter.
Not only that. The hacker could only use the token to transfer money between you and KickStarter, not to another account. So unless they also had access to make withdrawals from KickStarter - they couldn't do anything useful other than annoy KickStarter with a bunch of erroneous charges.
Basically, the only important information Kickstarter gets from any card are the last 4 digits, whether it's Visa, Master Card, AMEX, etc., and the expiration date.
The token can only be used with the private / public key pairs that Stripe provided to them, so even if a hacker got access to Kickstarter's database, they would still need the private/public keys to make use of the tokens.
Also, my expectations are that only whitelisted IPs should be able to access Stripe with the key pairs of Kickstarter.