In the past I connect to the user to an SSL-secured portion of my site, asked for or updated their details. I used their credit card's security code plus the customer's ID in the database as the pass phrase to encrypt their credit cards (I used Rijndael for encryption).
I didn't like doing it but I stored the customer's security code in session for at least one action before decrypting the card and sending it to Authorize.net.
I'm curious to hear how others have handled the flow of checkout on e-commerce websites.