Without diving into politics, we all know that cyberwarfare is a very real thing. GOG has many thousands of credit card details on their servers. Including mine. And I doubt if GOG is more secure than my bank, which got hacked two years ago.

I try to do my due diligence, including a good paid AV/Malware suite, a VPN, a security oriented browser (Vivaldi), and Two-Factor Authentication.

Is that enough? Can I do more? Would deleting my CC info and just adding money to my GOG wallet help? If GOG gets hacked by Russia, do customers have any recourse?

Theoretically, tokenization should reduce/eliminate the risk of having your information stolen in the event of a hack:
https://www.nerdwallet.com/article/credit-cards/credit-card-tokenization-explained
You should be keeping an eye on transactions on your card in any case, but if something did happen you can always dispute charges and report the card/information was stolen and get a new card issued.

Imma stop you right there: https://support.gog.com/hc/en-us/articles/360001948194-FAQ-Shopping-experience?product=gog

Simply not true. Once I log into my account, from ANY computer, I can make a purchase by supplying nothing more than my 3 digit auth code. That means my CC info is on GOG servers.

You must have saved your details then. I would suggest to never do that on any site as no site is secure, or will ever be secure. It’s a self defeating chase, if it’s more secure, then it’s a better target etc. never save any details, and use an account with virtually no money to avoid losses. You can only manage exposure.

Not likely. A token replacing your card data is on GOG servers. If somebody somehow steals that token, they can't get any of your sensitive information.

Probably the best advice so far. I've deleted my card info, and changed my PW and 2FA. I already use a minor card with a small limit.
I want to emphasize I don't distrust GOG at all, over 12 years and 600 games they have been honorable and safe. Putin and Russia Cybercommand? Not so much.

Really, the only thing GOG could do to improve the security is to amp up the 2FA to a proper one.

I'm not arguing, but could you explain this like I'm five? I honestly don't understand how if I can (for example) log in to my account from a public computer at the library and buy a game, the only thing I'm asked is for my 3 digit code. How, in any real sense, is my CC # and billing info NOT stored? I'm not saying I'm right, just that I don't get it.

So imagine this: g87qw5u80weuf09afsu9q=42148f7hqhfwqaf89fqhwqfwqfqhw142=15
That's a token. It's a uniquely generated one time check. The next token is t80weasgvsjegfjaiofjaw89uw095238952809sjgopfaq. If it gets intercepted, all that anyone would find out is some junk data.

If it’s just a token like that, how does GOG know what card to use, and what account to put the game in? End of the day it does matter how obfuscated the process is there will be a weak point.

The article posted by SCPM does a good job of explaining that:

With tokenization, the only data stored on the merchant's network is the token. The sensitive card data itself is stored on a server with much higher security. The token is basically a link to that data.

About your comment stating that "there will always be a weak point". I agree. This is technically true about everything in life: there is no such thing as 100% security or 100% safety. Such a thing will never exist. Period. I am not being cynical. A good analogy is this: as a driver, I can be the safest behind the wheel, following every single road rule in the book, taking every precaution to be the best driver on the road, but all it takes is a careless drunk driver on the same road as me and I get implicated in an accident I never asked for. Same for digital security.

Here's a more specific example: my Mom is technologically-challenged. She can barely operate a TV remote (bless her). Does not own an ATM card. Has never experienced the Internet, so no online banking ever. If she needs to pay bills or withdraw cash, she does so the old-fashioned way: presents herself in person to the bank teller. Yet, last year or so, she was the victim of identity theft. Strange for an old lady who has never set foot in the digital era. I was shocked! How could my Mom, of all people, have had her digital identity stolen?! Then we found out why: an employee from her bank took the company laptop to a cafe, decided to go to the washroom while leaving the laptop unattended and it got stolen, along with the personal data of every client at that bank.

Moral of the story? I don't know. LOL! I guess I continue to be as safe as I can be. Like you, I never save my details on any merchant site, nor within my web browser, and I use a pre-paid credit card with very limited funds whenever I shop online. I trust GOG's transaction system, but I also know that nothing is 100% secure. Most credit card companies know this and it's why most have a refund policy for fraudulent purchases.

Teh ebil Rushhnz are going to haxx your account! xD

Vid related

I'm cutting for post length, especially since the post I'm replying to isn't far off.

The moral of the story goes along with the annual security training that I used to go through when I worked in health care, specifically health care enrollment with the exchange in California. This meant that until I quit in 2020, I really did have access to the personal details of a lot of people - names, date of birth, social security numbers, addresses, where people worked, income, who was in the household plus all that same information about them too. This was in addition to things like what health insurance plan people were enrolled with.

The thing that was stated multiple times was the absolute weakest part of any security system is the human employees. Even if a business goes all out with electronic protection, all it takes is one careless employee to compromise things. If/When your information does get compromised, it will be because someone was careless more often than not.