Ah well never mind. After a lot of research and reading I managed to find a reasonably secure method.

My inspiration basically comes from http://www.ubercart.org/forum/bug_reports/4962/pci_dss_session_handling_... and the fact that PCI standards do actually allow storage of PAN number in encrypted form.

When the credit card data is first submitted and the only time I have access to the whole card number I grab the first 12 digits of the card and store it in the session and that too encrypted using Ubercart's own encryption. Drupal sessions are not stored in files (which can be accessed by others) but in the database (so an added plus). Once the full card number is required I decrypt the 12 digits from the session, remove the session (to allow only one call to this) and then fetch the last four digits from the standard order details and make the call to the gateway. So this session lasts only for the duration of this whole procedure. Kinda hackish but it seems good to me after having it discussed with some folks.

So according to the PCI standards:
- Am not storing the whole PAN number at any given time in a single consolidated location (which is allowed in encrypted form actually, http://www.ubercart.org/files/pci-dss-storage.png) but in broken forms and that too encrypted.
- Am not storing any other details which are not permitted to be stored (like CVV).
- The only detail that can be used to get the whole card number, i.e. the 12 digits, is stored only for the duration of the transaction. And this is only possible if the server is compromised. Then we have a whole host of other problems on our hands as mentioned by Ryan in the other post.

So I guess am done with modules and are pretty easy to implement in existing gateways and can be extended with MPI modules quite effortlessly. Now I see on how to contrib them here.