There are several options with varying complexity. One, with the payment services that I'm familiar with, you can authorize the card number for the purchase amount which gives you a transaction id. You can then save the tx ID, purge the in-flight CC data objects from your app and just refer to the tx ID that you have to actually execute the bill phase of the TX. You can also use that tx ID to issue a refund if you ever need to. We passed purchasing card industry (PCI) compliance at the level we were required to with this approach, although we had to have the app servers firewalled (of course) and in a seperate DMZ and other controls around them, even though we never persisted the CC data.

The other option that I'm familiar with is tokenization. Several payment gateways and partners are offering a processing service by which your credit card data form post is handled externally by another service, the data passed to the payment processor and you just get a token that is used to identify that collection of data. That totally removes you from PCI scope and you never have the personally identifiable data OR the credit card data, in-flight or persisted. These services are generally pricey and vary with the amount of traffic.