hmm my oppinion is this. what your asking is easy to set up and accomplish...that woudlnt be the issue...what IS the issue is tiy need to confirm what your doing is LEGAL - to hold someones card details (even if you have a secure server with SSL etc) Im sure you need to be registered with an institution. I could be totally wrong) - but you dont want to risk anything that can cause you more headaches right, especially when it comes to the law.
I dont know too much about this, but Im simply guessing that even though you may have a secured server holding card details is a bit more full on...look at what happened to SONY last year with a hacker hacking into their servers..a massive corporation like Sony they have ultra expensive servers etc and can handle massive lawsuits etc. but for small, to medium size businesses could be a different story.