When performing a repeat payment we need to provide the CV2 number because SagePay does not store it. As we are taking the payments automatically (overnight task) it means we need to store the number in our database (as the customer will not be typing it in).
We also store the last 4 digits of the card number and the expiry date for information.
Does any of the above make us non-PCI compliant, or does it not matter because we are not storing the actual card details on our server?
You are not allowed to store the CV2 number post auth. That's a big no-no.
Sage Pay will accept a REPEAT payment (using a CA MID) without the CV2. Your acquiring fee will be based on the fact that you are using a CA