Don't take this as even close to fact, but i believe they can store the card number just as a physical store can run and keep a carbon imprint if say their computers are down. Banks and card issuers actually give brick and mortar stores machines to take such imprints with. (I work with retail point of sale systems for brick and mortar stores)
The requirements to meet pci compliance are that the data must be secured to the degree specified in PCI laws and regulations. For an online company this would involve adequate encryption, firewall, network and server security etc.
Many companies will store only the last 4 digits, and * mask or drop the rest, even if it is adequately secured to further limit PCI compliance liability.
Whether they *should* be able to store it without consent is an entirely different conversation