Yeah, no. That's someone who is lazy and not following our rather comprehensive credit card regulations [0]. PCI DSS is required by both VISA and MasterCard, who are the only one's approved by said regulations. CVV storage is not permitted.

If you reported them, chances are, the business would be shut down.

[0] https://www.rba.gov.au/payments-and-infrastructure/payments-...