If they are allowing storage of the CC, they are obviously storing it somewhere. This means they have to be PCI compliant to do so, and are accepting the responsibilities in the event of any breach.

when the user checks out and the data is sent to the bank they use some return code from the bank to perform the charge etc.

Close.

1. Install valid cert on your site. No processor I know of will accept a silent post (below) from a non-SSL location.
2. Set up online merchant account with bank.
3. Set up account with gateway. It is the gateway you actually connect to, and the gateway is what actually "talks" to the bank. Sometimes these are separate, for example, your bank and Authorize.net gateway. Sometimes they are combined, for example, FirstData/Linkpoint (now Elavon.)
4. Via silent post, you collect the input data and post the data to the gateway. Gateway connects with bank, auth's the transaction (or not,) and returns a response code and other data. Depending on the resonse, you update your database and return a response to the user. The impression is that they've never left your site.

How to silent post? Look into curl, or for PHP, pcntl_curl() if the extensions are installed on your server.

Worry not, all gateways have sample code and test servers to get you set up.