Realistically, it's highly unlikely that the device itself received and is storing the CC details. Most likely the device pings Canons servers when ordering should be done, and then the backend servers handles the actual order and payment.

But, never say never, it wouldn't even be the worst thing i've seen in the IoT world.

When it comes to IoT, never ask how bad things can be for they will surely be worse than you can possibly imagine.