Companies can store any information about you which is included in their registration under the Data Protection Act. (I wouldn't be able to post this reply if my ISP didn't store my credit card details because my monthly payments are automatically taken from a credit card).

However, one of the underlying principles of the DPA is that personal data should not be kept for longer than is necessary. So a company can retain credit card details for as long as the vendor-customer relationship is reasonably likely to exist. (e.g. my ISP can obviously hold onto my credit card details while I'm using it for monthly payments. If I ran out of credit on that card, resulting in the termination of service from my ISP, the ISP could keep the details for long enough to see if I was able to resume making payments with the card, but not indefinitely).

The company you dealt with might argue that they need to keep your card details on file in case you return faulty goods, resulting in them making a refund to the account which you'd used to pay for the goods. In which case, they'd have the right (subject to the terms of their registration under the DPA) to retain your card details until the end of whatever period they'd offer a refund (rather than repairing or replacing the goods). Beyond that time, they'd have to show that they had reasonable cause for believing that there was an ongoing vendor-customer relationship in place.

General information about the DPA is here:
http://www.ico.gov.uk/Home/what_we_cover/data_ protection.aspx

Chris

and in addition to what Chris says, you may somewhere in the initial purchase have authorised them to retain the data.

I recently made an online purchase where I was given the option 'retain CC data for future use'. I had to click to accept, (I didn't) but some companies may do it the other way round.