There is no specific rule that requires a vendor to use PGP however you should look at it like this, any vendor unwilling or unable to use PGP should be avoided because it speaks volumes about their attitude and approach to both their own and your safety and security. If they are not using this most very basic and fundamental security measure I would question what other risks they are taking in their vending operation.