I work as a software engineer in an online payment processor. I will talk specifically about online credit card transactions but the ideas are similar for physical credit card transactions.

As others have said, if you want to process credit card transactions, there is this standard called PCI-DSS that you need to comply to.

If you just want to accept credit card payments as a merchant, the best way to ensure compliance is to not collect credit card details at all. There is a large chunk of the PCI-DSS that doesn’t apply when your system does not handle credit card details. The next best is to collect and just pass them to a payment processor and not store them persistently. Many payment processors offer one or more features to do so.

One of those features is a hosted payment form. Different payment processors call it different names (e.g. Stripe Checkout) but the idea is, instead of collecting credit card details yourself, you pass the transaction data (currency, amount, etc.) and open a payment form hosted by the payment processor. The buyer enters the credit card details in that form to give them directly to the payment processor. The payment processor then notifies you of the result of the transaction. This way, your system never sees the credit card details.

Hosted payment forms does not apply to recurring payments like a subscription fee where the buyer is not actively going through the transaction process.

An alternative is tokenizing the credit card details. Whether you decide to use a hosted payment form or to collect collecting credit card details yourself, the payment processor can return some kind of token to you. For subsequent transactions you can use this token in place of the credit card details. The payment processor use the token to retrieve the corresponding credit card details stored on their system to complete the transaction.