Exactly. When we last went through our PCI compliance rigamarole, they told us if anyone ever told us their CC number over the phone we were to open a text editor on our machines, type it without saving and then close it without saving when done. Apparently our writing on a physical notepad and destroying the piece of paper when done with it was not secure enough, so we had to introduce the possibility of keyloggers to our process.
Don't you have to type in the number anyway? It sounds like a keylogger would just get it a little later if you wrote it down on paper first.
One potential reason it's preferable to use an innocuous, generic text editor is the potential supposition by an attacker that they only need to infect and/or monitor the card processing application. If someone spreads a malicious update that has a built-in keylogger only for that application, for instance, copy+paste from the non-infected program would stop it from recording the data.
Though I think that's stretching it a bit. Maybe your auditors encountered something similar previously?
We had a front desk that would take calls and pass info along to the appropriate staff (on a different, largely segregated network). We don't want people emailing CC numbers or any customer data, really, internally, so it would be passed along via a note. But these cases rarely ever came up. We work with transaction numbers and 99% of staff has zero reason to know any credit card information.
It was something the auditors just brought up on their own, so yeah, I'm assuming they'd run into it before.
The no paper rule isn't protecting against outside hackers, but from your own employees. Many call centers now have a strict no paper/no cellphones policy because the employees liked stealing CC numbers.
