You have done this. I'd be much more worried about what happens to those credit card numbers once they're on your server, or worried about people putting fraudulent credit card number in, than worried about which secure-enough cipher suite was used to get the data from the user to your server.
Well, looking at your Qualys report's handshake simulation, if you turned off TLS 1.2 you wouldn't be able to get users from Android 8 or earlier, IE 11 or (pre-chromium) Edge (even on Windows 10), Safari 10 or earlier, and probably some web crawlers (as it says Googlebot, Yahoo Slurp, and so forth only use TLS 1.2). I don't know how accurate Qualys's estimations of protocol negotiations are, but if it were me, I'd rather people be able to find my site in search engines and submit me those credit card numbers over TLS 1.2 rather than not have them find my site working at all. At some point, yes perhaps some point soon, disabling TLS 1.2 could be a normal thing, but I don't think we're at that point for sites wanting to be generally available on the Internet quite yet. Maybe give it another year or two. There is no known or theoretical break in TLS 1.2 at this time.
I'm not sure how much they've published on their scoring algorithm (as it of course changes over time), but Qualys does have a Best Practices document available which maybe you'd find interesting since you're so interested in Qualys's opinion of how secure a site is.
EDIT: Aha! I found their scoring guide: