It's not required that you use a 3rd party payment provider like PayPal, etc. – but you need to be PCI compliant if you are going to store payment card information. Read this article about BC Ferries, who face substantial fines for not keeping up to date with PCI compliance to grasp how serious it is to be PCI compliant.
My current employer is going through PCI compliance – it's not a trivial process, and requires staff for auditing. Enforcement depends on the country and state/province laws – Canada IIRC requires you to be PCI certified by a PCI employed committee, while some states in the US allow for PCI compliance auditing companies to serve in place of the PCI committee.
