What third party system are you using?
I know with Authorize.net and Stripe (the only two I've worked with other than basic paypal stuff...oh and a really shitty vendor named Payliance*) they allow you to (optionally) pre-auth a card and then store a token for that customer and charge at a future date.
For example:
https://stripe.com/docs/saving-cardsSo, like you're doing now, the actual PII and PCI-related data stays at the 3rd party and you just charge it later via API or their web-based dashboard (if the gateway provider has one)
*edit: I just remembered, payliance was for ACH transactions and did NOT store data, in that case I encrypted the account number in the database. I never had a security or compliance audit so maybe I didn't do it 100% correct but, it was a secure encryption method and the database was on a different server than the decryption key.