Recurly tokenizes and store the credit card data on our end (which also makes it easier if you need to change gateways in the future). That said your customer’s sensitive data as mentioned on our site here (https://recurly.com/security) is stored using several layers of encryption in a segmented network with no public internet access. New encryption keys are generated on a daily basis, and existing keys are rotated on a regular basis. Sensitive information is encrypted by an SSL connection when in transit over public networks with SSL connections using TLS v1.2 or above. Additionally, we share a bit more about our PCI compliance in our documentation here.
Furthermore, our documentation here (https://docs.recurly.com/docs/user-management) outlines the user roles and permissions that can be applied to your staff accounts. You will want to make a note of the read only and can edit permission levels but at either level your staff will be able to view your customers physical and email addresses.
Last, ultimately you will need to consult with a qualified security assessor (QSA) about this to ensure that you are following all guidelines. If you do not currently have a QSA, you can find a list of PCI-approved QSA’s at: https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors