Ironically, for businesses that operate under HIPAA regs, any doctor I've had take my credit card had paper forms that were nowhere near PCI compliant.
My favorite - I had a routine-but-niche lab test done at a doctor I'd never been to before. They wanted a credit card "on file" in case insurance didn't pay.
They had a paper form for my name, address, SSN, credit card number, and even the CVV2 code off the card. I left the SSN and credit card info all blank, handed them the form and the card and told them I wasn't comfortable writing it all down (at least if there was a breach, it's not in my handwriting, right?). Which then got put in a pile on her desk until god knows when.
Insurance paid for the test ... at their negotiated rate of under $3. For that, I would have just paid cash and saved having personal information left laying around.
This I do not doubt at all...