As @TomScott has indicated. PCI DSS requires token representation of CC data once it is stored on their server. For purposes of purchase history keeping, CC records cannot be deleted. You can modify some of the associated information and, of course, add new information but not delete.
Regarding subscription cancellations, you can, also as indicated, cancel subscriptions through the api, however, be aware, that with some gateways, like PayPal, that cancellation doesn’t propagate by itself and the user would have to cancel the subscription in their PP app (or other gateway portal) themselves. Others don’t setup subscriptions but rely on IS to run a monthly charge so in those cases, that would not apply.