Setting up a fully compliant merchant facility is expensive - that's why most sites actually make use of a third party merchant facility. Apart from not having to spend huge amounts of money on setting up a PCI compliant system you also avoid all the risk of being fined if someone finds a hole in your security and manages to obtain any of the credit card numbers as the third party provider you use would be the one taking that risk.
Many banks and a number of other large financial companies offer access to use their payment processor for the processing of online credit card orders. It would just be a matter of finding one that doesn't charge an excessive fee.
Perhaps the easiest way to explain the problem to your client is to explain that one of the conditions for processing credit card orders is that the numbers are not allowed to be stored on a computer that is connected to the internet. As emails are stored on computers attached to the internet they must never contain credit card numbers. If someone were to send their credit card number by email and it was then used by someone else to make purchases then the only person that the card owner would have any chance at all of getting compensated for the loss from would be the person who convinced them to send their email address by email in the first place. The card issuer accepts no responsibility and prohibits such use of credit cards that they issue.