Thank you Stephen,
I should have clarified that some. They have users fax a completed form to their internal fax server which pdf's the fax and emails it internally to a processing account to be uploaded into their database system. So the email is all internal, but still it's in an unencrypted form on that server which isn't good. So, that's why I was asking them to set up an https webserver for direct input from the user across the internet to the database server. The question becomes, what are the requirements that need to be met if they are accepting the card number (including the expiration and code), storing it encrypted in their database, and then allowing specific agents to access that information to use to pay a 3rd party for the user.
Does this make them a service provider?
Is there an issue regarding the storage of that information in the first place?
If they write an application that retrieves the card information from the database, only displaying the last 4 to the processing agent, and then behind the scenes passing it to the 3rd party for payment, does that make it a payment application?
What I need to do is figure out what they are, so I can figure out what the requirements are. They are even talking about using an SFTP/EFT server with an HTTPS web frontend as an option for transferring files encrypted from the user.