There are very clear requirements for compliance with PCI, and any merchant or credit card processor (including both of the companies in this scenario, unless Company B is really not processing credit cards at all, in which case they have no need for the data in the first place) will have agreed to these standards as part of signing up with whatever service they use for credit card processing. Specifically, requirements 4.1 / 4.2 outline how the Primary Account Number must be handled, and not only are they out of compliance by emailing these without encryption, but are likely out of compliance with requirement 3.4 if they are simply storing them on their server (or someone's PC!) without being encrypted.
See thisexplanation from the PCI Council
Or, you can see the actualPCI Data Security Standard.
There have been major fines for violating...
