Welcome aboard Lord_Webby.
Is your website and host PCI compliant [pubcon.com]?
This should be your FIRST stop. Have your clients read their contract: if they are using an in-store terminal to process CC info, their contract will explicitly disallow collection of credit card orders by any other means than card present or phone orders. Internet orders are a completely different contract with different fee structures.
Merchant accounts that allow collection and processing of credit cards via the numbers you describe will DEMAND PCI compliance. This involves not only your programming but the security of the network and hardware systems on which you do this, see the link above.
This is a BIG DEAL. If caught, the client will have to pay enormous fines and will be liable for all charges in arrears for the time they are operating in an non-PCI compliant environment.
If they forge onward with this, it's your job to make sure they are informed and you need it in a contract waiving you from responsibility - if it all comes down, you'll be the one they try to blame.
Last I'll throw in - I have *NEVER* encountered a project that REQUIRES storage of CC info. Subscription based, recurring billing, account credit and management, whatever the scenario - there is always a way to do it via a reputable credit card processor, which releases you from a PCI compliance audit. If one doesn't have what you need, another will. So there's "always a way" - if the client refuses to see it out of convenience or a tight purse, that is their decision to make. Just make sure you're covered.
Recent discussion [webmasterworld.com]