That's a good point. The best way to not leak a secret is to not have the secret in the first place. I don't know anything of PCI rules but I would imagine there is a way to implement the feature "store this credit card information for future purchases" without storing the raw credit card information.
Yes, you ask for an authorization token for recurring payments from your payment provider if you intend to make subsequent charges from that card. Then you store that token only (and maybe last 4 digits of the card for the customer’s convenience) and use the token without any other card information to make charges.
