I believe you ask for it the first time. Once its approved once you can assume they have the physical card.

But yes, you are not supposed to store the CVV2. Via http://en.wikipedia.org/wiki/Card_Security_Code#CVV2_limitat...:

Since the CVV2 may not be stored by the merchant for any length of time[2] (after the original transaction in which the CVV2 was quoted and then authorized and completed), a merchant who needs to regularly bill a card for a regular subscription would not be able to provide the code after the initial transaction.

you can also process transactions without a cvv. credit card companies just charge you (the vendor) more for these transactions, just like those without verified addresses and cards entered by hand versus those swiped through a reader.

Some payment gateways support subscription billing trustcommerce.com had this feature.