The Payment Card Industry has a set of Data Security Standards: if you want to accept cards, you must comply with their rules, or they may ban you. There are different degrees of compliance requirements. If someone else handles everything (e.g. external link or iframe), you get the easiest time: Self-Assessment Questionnaire A. If the data is actually in your DOM but you’re submitting to someone else (by form post or by JS), your burden is a little more, but still fairly small: SAQ A-EP. But if the card number is ever going to touch your server, you can’t use these things, and must go up to SAQ D which is several hundred questions long, and some of the requirements of which may be bothersome, involving things like quarterly penetration testing from approved vendors; and if you have a larger number of transactions, you end up needing mandatory full on-site audits.

(In practice, at the lower levels compliance is not typically validated, and I wouldn’t be surprised if less than 1% of e-commerce merchants were actually fully compliant even at SAQ A.)