According to PCI standards, a merchant may never store lists with customer’s card data on any medium which is not PCI compliant. Word documents and spreadsheets, even if they have a strong password, are not PCI compliant, and thus may never be used to store lists with card info. Even if you create a custom program with many levels of security, it is still not PCI compliant.
(The exception to this regulation would be to store the info of one card on a piece of paper. However, multiple numbers are never allowed, even on paper)