Single member LLC (disregarded entity) is the way to go, setup a separate bank account and bookkeeping so that you are treating as a legitimate business. In CA it cost me around $800 to form with a tax attorney, and the min state tax is also $800/yr. All worth it for the peace of mind that you have at least some protection if 10yr from now someone tries to sue you for whatever reason.
Report it, and let him know too. He must be doing less than $1m/mo if it's gone on for a while, 3rd party audits are mandatory otherwise. It's a small time risk to the PCI folks anyway, they're not going to screw up his lively hood, they're just going to tell him to use a merchant processor or tokenize would be my guess.