Who in their right minds stores credit card information on their web servers these days? To say that's against Best Practices is a bit of an understatement.
I don't see why not. If someone were to breach my account and steal my credit card info, the damage would be limited to an hour it takes for me to replace my auto-paying accounts.
And perhaps the waiting for the replacement card to arrive.
Best practices or not, my credit card account gets unauthorized charges every 2-3 years at least. It's not like I am ever responsible for that.
I'd be more worried about my cell phone number (or even email) going into the wilderness than I would about someone stealing my credit card info.