Oooooh, I’ve had this request before.
I had to look into it extensively for a school, that always takes down cc info because too many things change later on in the year with tuition.
From the client’s side, there are aspects they need to have in place. This is not really your problem, but if they’re newish or on the heimish side, it might be good to check. They need a) a very secure place to store this information, and b) they must have legally signed consent anytime they charge the card. The credit card companies/payment gateways may check up on this, so it’s important. If it’s, say, a community kollel with a donor who occasionally says, “I’d like to donate, charge my card” – they can’t just charge it. They must obtain consent.
A user-submitted payment on a website is considered user consent. If the client is charging people from their card info, s/he will need to send them some kind of consent form. You can do this with online signature forms like Docusign, or SignRequest, Adobe eSign, etc.
From your end, it’s sticky. You cannot take cc info through a form that’s not designed for cc info, because it gets stored in your database, sent to email, etc.
In the end, my solution was to integrate a third party API called SendSafely. It sends information in a secure environment so that you can login and copy down sensitive info.
They have cheaper plans if you use their portal (so direct people offsite). The school I was developing for chose to pay for a Business plan so that we could integrate it directly on their website. It looks like an ordinary form, but it’s all sent through SendSafely. (We asked them if we could have a reduced fee because we only needed 2 out of the 10 users, and they made it $60/mo instead of $100.)
This worked out perfectly for the school, and they now use it for other sensitive documents that shouldn’t be passed via email.
There may be other possibilities, particularly if you are willing to go offsite. Onsite, this was the best I found.