I would think that it would be hard to maintain PCI DSS compliance under this policy. PCI DSS 3.1 requires TLS 1.1 during the transaction. PCI DSS 3.0 required encryption as well (but with a lower bar for the encryption algorithm). Email is unencrypted. This means that the user's only interaction with your system is over an unencrypted connection.
If you move forward with this, they will likely lose their ability to process credit cards after the first audit.
I would think that it would be hard to maintain PCI DSS compliance under this policy. PCI DSS 3.1 requires TLS 1.1 during the transaction. PCI DSS 3.0 required encryption as well (but with a lower bar for the encryption algorithm). Email is unencrypted. This means that the user's only interaction with your system is over an unencrypted connection.
If you move forward with this, they will likely lose their ability to process credit cards after the first audit.
My reading of the question was that the email contains a link that goes to the website where the transaction is handled.