This is a major violation of PCI rules. You can obtain the documents here: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
It would be smart to go third party like Google Checkout or something similar. Becoming PCI compliant is a big headache and involves annual reviews (may be self assessed), which can include penetration testing, etc. If you really examined it, he probably does not need to have access to the credit card information at all, just the transaction ID. Not only do you need to encrypt the data, you must have an elaborate scheme for protecting the encryption keys. This is much bigger than what a small business wants to get into. Some of the advice above sounds good, but it does not meet the PCI specification. Read the documents and you will quickly see it is a large undertaking. I currently support an in house PCI compliant system and had to spend significant effort to get it up to standards. We also had to make a number of network changes as well. It will be cheaper for the business to convert to third party.
