Don't you have to type in the number anyway? It sounds like a keylogger would just get it a little later if you wrote it down on paper first.
One potential reason it's preferable to use an innocuous, generic text editor is the potential supposition by an attacker that they only need to infect and/or monitor the card processing application. If someone spreads a malicious update that has a built-in keylogger only for that application, for instance, copy+paste from the non-infected program would stop it from recording the data.
Though I think that's stretching it a bit. Maybe your auditors encountered something similar previously?
We had a front desk that would take calls and pass info along to the appropriate staff (on a different, largely segregated network). We don't want people emailing CC numbers or any customer data, really, internally, so it would be passed along via a note. But these cases rarely ever came up. We work with transaction numbers and 99% of staff has zero reason to know any credit card information.
It was something the auditors just brought up on their own, so yeah, I'm assuming they'd run into it before.
One potential reason it's preferable to use an innocuous, generic text editor is the potential supposition by an attacker that they only need to infect and/or monitor the card processing application. If someone spreads a malicious update that has a built-in keylogger only for that application, for instance, copy+paste from the non-infected program would stop it from recording the data.
Though I think that's stretching it a bit. Maybe your auditors encountered something similar previously?