This may be personal data, since payment cards are nominal, so may fall within the GDPR. But that does not means it is a "violation" and that does not mean you should lose sleep over it.
You say you're in the US and you sound like a small entity so not entirely clear why you care about the GDPR, but you want to comply, cool.
As said, this info may be personal data. SO why do you want to store it? If it's for security/fraud prevention you should look for a carve out (legitimate interest, etc) that would allow you to store it without explicit consent and would possibly also allow you not to delete it on request. In which case, you would be able to simply stipulate in your T&Cs/privacy policy that you are collecting that info for that specific reason, for that specific period of time (all of which should be reasonable).