In the past I connect to the user to an SSL-secured portion of my site,
asked for or updated their details. I used their credit card's security
code plus the customer's ID in the database as the pass phrase to
encrypt their credit cards (I used Rijndael for encryption).
I didn't like doing it but I stored the customer's security code in
session for at least one action before decrypting the card and sending
it to Authorize.net.
I'm curious to hear how others have handled the flow of checkout on