In my experience, the bank will trust you if you say that you've implemented a secure, PCI-DSS way to store credit card details. They'll also trust you if you say that you store the numbers on the gateway.
The important thing is to convey that you're aware of the issues, and you've dealt with them.
There is a liability issue with storing card numbers on your own servers, which, iirc, is that if you are breached, the numbers are stolen, and you are subsequently investigated and found not to be in compliance with PCI-DSS, you could lose your merchant account.
Yeah, well if you're not compliant with PCI-DSS then I wouldn't have too much sympathy if that occurred! The rules are not onerous or arbitrary, in fact PCI-DSS reads like Chapter 1 of "Information Security for Dummies".
There's a pretty good summary on the wikipedia page but it basically comes down to maintaining competent system/network security, not storing auth data like CVV2 and never displaying full card numbers, restricting access to the card numbers to those who need it and traceably logging it when they do, writing up a "policy" document which consists of stuff like "employees shall not disclose their passwords" etc, and commiting to test (and log that you've tested) the whole setup every month or so. No big deal.
Most of it is kind of obvious. A decent operation is going to doing most or all of that stuff as a matter of course. It's just kind of a checklist really, formalising what you already know to be good practise. Nothing to be afraid of.
..additionally to losing your merchant account, you may also pay heavy fine to visa and mastercard from what I've read
I've been looking at those things lately since I'm working on an ecommerce platform and it will be my server dealing with the my customers (who sell on my platform)' gateway... It's rather complicated..
In my experience, the bank will trust you if you say that you've implemented a secure, PCI-DSS way to store credit card details. They'll also trust you if you say that you store the numbers on the gateway.
The important thing is to convey that you're aware of the issues, and you've dealt with them.
There is a liability issue with storing card numbers on your own servers, which, iirc, is that if you are breached, the numbers are stolen, and you are subsequently investigated and found not to be in compliance with PCI-DSS, you could lose your merchant account.