- Storing actual images of credit cards is a terrible idea.
- Get legal help
These are just minimum guidelines not hard fast rules that you can take into court.
At minimum the raw data would have to be encrypted.
Your better off creating a database, and having the data transcribed or OCR into normal fields.
I am sure the PCI-DSS has guidance for what level and type of encryption is needed to protect the database.
A database is better because the actually data lives outside the reach of the web server. Then the PHP would have to give a secure username and password to access the data because it has to authenticate against the database.
The username and password would have to be manually entered by the end user or site administrator to access the data.
There is a lot of hardening your going to have to do to make it acceptable.
Here is a starting point.
https://security.stackexchange.com/questions/59520/how-to-store-credit-card-information-for-repeated-transactions-and-still-be-pci
Ask more question in the security community at stack exchange.