Interesting. I thought you only needed PCI compliance if your server touched the card, no the front-end, but it makes sense. Nevertheless here in Spain we'll need to wait to have tokenization. There's only one gateway - unless you choose Ogone or Adyen - and hell will freeze before it innovates.