Storing credit card information on an internet connected server, as 99% of X-cart users would be doing if they used that feature, is illegal. It does not meet the Payment Card Industry Data Security Standards. Encryption is not nearly enough to meet those standards, especially when the decryption code is sitting on the same server as the encrypted data. Fines for violations under the Visa and MasterCard operating regulations are in the half million dollar range.
You should stop recommending this to people.
Your software shouldn't even support it, doing so only helps merchants put themselves in a position where they're legally liable and exposes card information to hackers.
If you're going to do recurring billing, then the payment information needs to be stored somewhere that does meet those standards, such as on Authnet's servers. That's why they offer two ways of doing recurring billing - Automated Recurring Billing (ARB), which is good for billing a fixed amount on a fixed cycle, or Customer Information Manager (CIM) which you can use to make arbitrary charges based on a reference ID alone.