Hmmm,
that may be a theory to test.
As PCI compliance changes new 'features' are added every day.

PGMusic may not store your card, but it is possible their gateway does. I have no knowledge of whether they do or don't, but I do know that for the user, you probably wouldn't be able to tell.

Example:
You send your credit card for a transaction. The website just passes that information without saving any of it .. but the gateway that approves the transaction may store it. So a processor like Authorize.net or BNG or FirstData may have the feature enabled on the payment gateway account that does this. The card is stored on the secure system there (often called wallet feature or such) and is pretty much transparent to the user.

In some ways this is good; the next time it is possible that 'tokens' can be used when making any transactions, instead of passing the actual CC number again .. but then again your CC# is indeed stored in another location, on another computer.

Which is worse?
PCI Compliance seems to think that not passing that data any more often than necessary is better. They would be the ones to enforce the change.
So far it is a feature, and not prohibited in my experience.

The more you know!

Make your sound your own!
.. I do not work here, but the benefits are still awesome