lorax - 2:07 pm on Feb 23, 2013 (gmt 0)
Bad situation as is and while the chances may be slim something will happen, if it did, it could be huge issue for your client.
Why not write a quick script that dumps the data into an encrypted db instead of emailing it. Then write an admin interface that allows your client to access the info via https? He could get the data then delete the record. Of course, this brings up it's own PCI compliance issues.