If they are using sage/world pay, those providers I doubt leak credit card information, and i think they are both redirect payment providers, so card details aren't taken on their customers server.. so I don't know how this would happen?
If they do offer solutions where its tunneled through their customers server, they've probably stored them in some form (naughty: database, stupid: logs)