The credit card is sent to your server/WP/PMPro to process when the checkout form is submitted. Then PMPro uses the Authorize.net API to authorize and charge the card and to setup the subscription. After this, only the card type, last 4 digits, expiration date, and billing address are saved to the WP/PMPro database.
Recurring subscriptions are stored in Authorize.net ARB and charges are kicked off from Authorize.net and synced to WP/PMPro through the “silent post URL”.
Users can update their credit card on the WP site. There is a /membership-billing/ page setup to do this. This form acts similar to the checkout form. The card is submitted, updated in Authorize.net through their API, then only the last 4/etc are saved.
Be sure to use SSL/HTTPS.
Hope this clears things up
