The card associations are lately making online orders that rely on pre-authorization (pre-auth) much more difficult.
Different card issuers have different periods and it varies from bank to bank, but the number of days the authorization for the amount (as a "shadow transaction") will be held against the customer's card is going down.
For Card Not Present (Mail Order/Telephone Order, Internet) it can be as low as 2-5 days now.
If you can't rely on pre-auth as your timeframe is so long, storing credit card information with your own merchant account requires you to be Payment Card Industry (PCI) Data Security Standard compliant.
You must store the card number encrypted (or hashed) and you can never store the CVV* past authorization of the card.
(The rules are strict that the CVV must not be stored in any database or also, not on any paper form. Yes, that's right. If you write it down and store it past authorization you are in violation.)
This can be a real problem if your credit card acquirer (gateway) insists on CVV to put through a charge as it means you will have to contact the customer again to get the CVV. Many sites ask the customer to "confirm their order" by entering the card number and CVV again.
So, to be able to perform this business model it appears you would have to break the card association rules on storage of cardholder data. This will be expensive if/when your acquirer finds out.
The card associations are tough on Card Not Present (Mail Order/Telephone Order, Internet) merchants, and give them minimal fraud protection, whilst on the other hand adding requirements like this that can really restrict one's business model.
Of course, your mileage may vary.
*VISA refers to the 3-digit code on the back of the card as CVV2, MasterCard calls it CVC2, and American Express calls it CID or 4DBC and it is 4 digits on the front of the AMEX card.)