I would just reply back saying that it's insecure to send credit card information in this manner and that you already submitted it via their secure site when you booked originally. I think replying back with the last 4 digits of the card you originally charged it to should be sufficient. You really have nothing to lose by trying.