Guidelines for Merchants re writing down of Security Code?

The other week in a single day I completed 4 Charitable Donations forms where in 2 instances the paper form only asked for Cardnumber & Expiry Date, whilst in the other 2 instances they also asked for the Security Code to be written down.

In the latter instance, one of the forms was subsequently returned to me as it was incomplete. If that had been intercepted or discarded then there would be scope for mischief/fraud/identity theft? Is there any regulation that says they should not be doing this?

I'm fully aware of the PCI rules regarding storage of such data, this issue is to do with simply recording it on paper and entrusting it to the Royal Mail. 

I polled a rival PCI Industry forum 2 weeks ago, and I've received no responses. 

Perhaps its no wonder that Merchants don't know what to do, if the members of such PCI groups haven't seen fit to inundate me with responses? But if some Merchants can process the transaction without Security Code, why should others have to ask for it - we're talking about sums less than £50.

So I thought I'd ask the same question of the esteemed Finextra community - don't let me down!