PCI DSS are standards which all organisations that transact via credit card must abide by regardless of your business size. You can’t partially comply.
One of its requirements is that credit card information must not be captured, transmitted, or stored via email. This is because a standard email is considered to be unprotected being in clear text and it leaves a trail of copies (in the ISP store-and-forward gateway, in inboxes, sent folders, drafts folders, email trash, web browser caches, computer recycle bins.
It goes on to state that it is a violation to request or transmit credit card information by email.
Although our software makes no such request, we are making a change to our software over this to specify this requirement.
If a person was to send you an email with their credit card details say
Visa Card
Card Number: 4550064304232410
Expire Date: 01/2023
CVV 322
You have not done anything wrong unless you requested this information but if you were to reply to that email, you have to change the text to something like this.
Visa Card
Card Number: ************2410
Expire Date: **/****
CVV ***
before you can reply.
I actually suggest that you use a payment gateway like paypal