rachel123 - 11:07 pm on Feb 20, 2010 (gmt 0)
Well it's certainly legal (in the US).
But it's definitely not PCI-compliant.
Two different animals.
ETA: and could also be a breach of TOS if they are using an offline card-present terminal to run card-not-present transactions on a routine systematic basis.