Dealing with PCI means you basically have to rely on the payment processor to store the card and customer data. Intermediaries like Square and Stripe require this and make it easy. It's been a long time since I built anything that spoke directly to a card gateway (i.e. merchant bank) but I'd be pretty shocked if any didn't force you to use their iframe/storage/token solution at this point. Back in the late 90s, e-commerce sites used to just take the customer card numbers in plaintext and pass them to the VeriSign gateway and basically roll their own APIs.