Up through the end of 2019, you were required to key in your credit card number and full billing address for every transaction. The only information retained for each transaction was the last four digits and the logged-in user that made the payment, so that the league could retrieve and refund it later, if necessary.
inLeague has never had a data breach or exposed credit card numbers transmitted in this fashion. Nevertheless, as security standards evolve, we've moved to a platform where you key in your number and billing address one time and then simply refer to it later. You'd be forgiven for thinking that that sounds less secure, not more – but it's much closer to entering your credit card into Google Pay or Apple Pay (though not exactly the same).
In principle, if you enter your card number into inLeague five times over the course of the year, each of those five instances is an opportunity for any point along the path your card number takes to be compromised: your computer or phone when you enter the data; the network your computer or phone uses to send the data to inLegaue; inLeague's servers; and finally, inLeague's network when it relays the data to the payment processor. Under the new system, your card number is only sent one time ever, and its path avoids inLeague's network completely, cutting in half the number of potential attack vectors.
Most importantly: The league does not receive your credit card number They receive the same information they always had – the last 4 digits and the user who made the payment. When you click Manage Payment Methods and enter a card number, it is not sent to the league, but directly to the payment processor. The payment processor issues a unique code to the league that corresponds to that card. That code may only be used to charge your card by the league. Even were malicious persons to get hold of that code, they could not use it.
Does this mean that the league can charge my card whenever they want? Generally not. From inLeague, only logged-in users may submit transactions. Only the league official(s) with direct access to the payment gateway can charge a saved card directly, and inLeague does not facilitate or support doing so.