It is up to you on how you want to store, handle, and process credit card information. You can either handle it yourself or leave it up to a third party payment gateway.
If you are looking to avoid most PCI Compliance concerns, Broadleaf integrates with several popular Payment Gateways that offer integration methods wherein credit card info never hits your servers (e.g. PayPal, Authorize.net, Braintree, and CyberSource, etc.). As a general rule: If you don’t read, store, or process the PAN (CC#) and/or exp date, then the level of PCI Compliance certification is minimal. If you even remotely touch the card number, then you need to undergo extensive PCI Compliance certification.
Again, storing Credit Card data or even sending that information to your servers is not something that we would normally recommend as the PCI auditing process can be difficult and expensive and 99% of the time you don’t need it. If the requirement is really to just allow customers to save their credit card information, some external payment gateways have a "vault" feature where the customer credit card still never hits your server. Others create a token representing the credit card that can be stored for later use.