You were given access to the site, you had the opportunity to see what was "around" there. Fraudsters rarely act like this, somehow it would be stupid.
Write to the customer, let him delete your e-mail. And deal with the end. You formally cease to have anything to do with it.
In general, the store receives card data in an unencrypted form. This is fine. How and where he stores it is his business, as long as it doesn't leak. If you think that this is a leak, and not an internal kitchen, then inform as many interested people as possible about this. This then, if anything, will go as a plus during the defense.
And so in our country such nonsense that no one will give guarantees. Planted for likes. Well, today they don’t put people in jail anymore, but tomorrow they will come up with a new nonsense. In short, even if there is a case against you, I think you have every chance of winning. But it won't work, IMHO.

Looking at what card data. If the card number is complete and the CVV2 / CVC2 code with the card validity date and owner, and the customer does not have a banking license - and it is most likely not, since they would hardly have left your email, since there are strict software requirements, then this is a reason file a police report immediately. Otherwise, if the owner of the card is found to be missing, they will also contact you. And then try to prove it - maybe you left your email there on purpose ...
If the card data is incomplete - the card number is blinded and the CVV2 / CVC2 code is missing - then just unsubscribe to the customer to remove your email from the code out of harm's way ...

The site was ready before me, I just wrote a script to send...

If you consider this from your point of view, it turns out that all manufacturers of knives, axes, etc., must wind up sentences without getting out of prison?
And if I commit an offense using only basic OS tools - will the OS developer / manufacturer be put in jail?
Do not take the bad in your head, but the heavy in your hands.

In general, I agree that suspicion is not a reason for sudden movements. It is necessary, first of all, to collect more information, on the basis of which it would be possible to draw some unambiguous conclusions.
This security hole needs to be closed. To do this, you need to notify the customer in writing about the need to remove the debug sending of letters. And at the same time ask for what purposes credit card data is being sent.

It is impossible to answer this question unambiguously.
If this person is a scammer, if he is caught, he may very well turn you in as an accomplice, even if you did not know anything at all. The police are much more interested in "exposing a criminal group", so they are pushing for this, usually. So the fact that formally, you did not participate in a criminal conspiracy does not mean that this will not be "sewn" to you.
If he's a fraud, it's not easy to find out without exposing yourself. Just asking directly is not an option.
So think.
If he's not a swindler, then it's still not done that way, of course. And to understand whether this is fraud, or just terrible stupidity, is also simply impossible.

Last week, somewhere in Kirov, the head physician of a polyclinic was locked up in a pre-trial detention center because some crazy woman starved her child to death in her area. Try to logically connect these two events ...
As things turn out, you will have problems of this size.
The most accurate answer for Russia.
Simply, do not make unnecessary movements and find a lawyer in advance, talk to him first and leave his phone number with your family (well, save the money).

You will be sent for storage. The drummer of your mail takes you away from responsibility.

Was there a written contract, that he was the customer, and you are the executor of some part of it? If there was no written agreement and everything was in words, then you are an accomplice. Go to the customer's website, see what's there, and then draw conclusions where to run. Whoever betrays everyone first is clear before the law :-)