OK , in the UK, to process CC information you have to be approved by a body called APACS - and I'm assuming you would have to obtain similar approval to bill the customer in this manner.

The best advice I can give is discuss it with your approval body or the providers of any systems or software used to submit credit card data, since if you are not approved, they will be and will need to ensure that you are using the systems in an approved manor.

Personally I would be suprised if anyone gave you permission to do this, especially with only a 3 digit pin and that the pin is being sent via sms.

Storing CC info is not a problem in itself. Having systems compromised and the information stolen will represent a problem for you.

Steve