jwolthuis - 12:31 am on Feb 22, 2013 (gmt 0)
The PA-DSS standard requires that the merchant encrypt sensitive communications over the Internet. If the email were encrypted, and the merchant acted to protect the payment information, and didn't retain it, the practice would be fine.
An unencrypted email doesn't meet the standard of PS-DSS. But if you've ever read your card number over the phone to someone, or handed your card over to a bartender to run a tab, you've placed your payment information into a much-riskier situation than the owner of this site. I'd simply set him up with an offsite payment processor, so he doesn't have to deal with silly offline processing of credit cards.
And watch out for so-called "PCI Consultants" who will gladly charge you thousands for an audit. They do these audits without looking at a single line of source code, but instead rely on "scans" of your website. Your customer is probably considered a "Level 4" merchant, and an annual self-assessment questionnaire is required; not the payment of thousands to a consultant.