-% # If we can't see the unencrypted card, then bill now is an exercise in frustration
-%if ( ! $cust_main->is_encrypted($cust_main->payinfo) ) {
+%# If we can't see the unencrypted card, then bill now is an exercise in
+%# frustration (without some sort of job queue magic to send it to a secure
+%# machine, anyway)
+%if ( $FS::CurrentUser::CurrentUser->access_right('Bill customer now')
+% && ! $cust_main->is_encrypted($cust_main->payinfo)
+% ) {