Do you think companies avoid storing this data? There's no reason for them not to, so they do it. Look at the target hack for an example of real word credit card info stored.
Also, tons of companies have one-click payment options (ever order something from Chipoltle or Dominos app?)
Edit: It should be disincentivised, but look at any "punishment" for a data leak and it's cheaper for them to just lose the data
PCI-DSS compliance auditing is not cheap. There’s the incentive right there.
Individual retailers have no need to store actual cardholder information. All the payment platforms provide ways to persist cardholder information, in a way that allows it to be reused but never read.
Also, tons of companies have one-click payment options (ever order something from Chipoltle or Dominos app?)
Edit: It should be disincentivised, but look at any "punishment" for a data leak and it's cheaper for them to just lose the data