If you really (really) need to store card numbers, you fall into the most stringent PCI compliance level. This requires an annual on-site audit, a quarterly network scan, and (as you already know) will be very expensive. This is independent of the number of transactions. (The old first PCI drafts gave different levels depending on the number of cards processed. This is no longer the case)
/ , , , (SAQ) . , . ( ) , / /
, , QSA (Qualified Security Assessor). , , . , , QSA, PCI.