First, DON'T capitulate. He is not only an idiot but DANGEROUSLY wrong. In fact, releasing this information would violate the PCI standard (which is what I'm assuming the audit is for since it's a payment processor) along with every other standard out there and just plain common sense. It would also expose your company to all sorts of liabilities.
The next thing I would do is send an email to your boss saying he needs to get corporate counsel involved to determine the legal exposure the company would be facing by proceeding with this action.
This last bit is up to you, but I would contact VISA with this information and get his PCI auditor status pulled.
Yes, it is common for ISPs and email service providers to store your password in plain text, or a format which is easily recoverable to plain text.
The reason for this has to do with the authentication protocols used with PPP (dialup and DSL), RADIUS (dialup, 802.1x, etc.) and POP (email), among others.
The tradeoff here is that if the passwords are one-way hashed in the ISP's database, then the only authentication protocols that can be used are those that transmit the password over the wire in plain text. But if the ISP stores the actual password, then more secure authentication protocols can be used.
For instance PPP or RADIUS authentication might use CHAP, which secures the authentication data in transit, but requires a plain text password to be stored by the ISP. Similarly with the APOP extension to POP3.
Also, all of the various services which an ISP offers all use different protocols, and the only clean way to have them all authenticate to the same database is to keep the password in plain text.
This doesn't address the issues of who among the ISP's staff has access to the database, and how well it is secured, though. You still should ask hard questions about those.
As you've probably learned by now, though, it's almost unheard of for an ISP's database to be compromised, while it's all too common for individual users to be compromised. You have risk either way.
See also Am I wrong to believe that passwords should never be recoverable (one way hash)? on our sister site IT Security
Best Answer
No, a bcrypt hashed password with a reasonable work factor should be plenty secure on its own.