If you do not need these data routinely, you will only have to access them in exceptional circumstances, so you can store them safely using encryption. The ideal, of course, would be to avoid this problem, or let some specialist do it (in particular, pay attention to any existing legislation that establishes minimum safety criteria for this scenario, if applicable). But for reference, the procedure would be as follows:
Generate a public / private key pair on a non-internet-connected computer. Keep this computer off the internet, and free of malware (or at least remove the private key from it, and delete it from its place of origin without leaving a trace);
Export the public key to your web server;
In your web service, when you receive a card and need to store it, encrypt it using the public key and store the result in the bank (continue to discard the data in a flat format as soon as you do not need it anymore);
When / if you eventually need this card data to migrate a service or something:
Export your database to a file, and enter that data into the computer that has the private key;
There, decrypt the data and prepare the script needed to use them;
Move the script to a machine with internet access, run it and erase it immediately (again, using a safe method of removal that leaves no traces).
Bonus: Use a hardware module to generate this pair of keys, so that the private key never exits from that hardware (ie no remote attacker will have access to it, even if 100% of your system is compromised), and once the public key has been exported unplug this module and do not use it again until you have no need.
Source: this answer in security.SE . (Note: pay no attention to my own answer there ...)