Storing credit card numbers online is tricky. If you encrypt them with all with the same key, then they key needs to be stored online, which means that if your server were compromised, a hacker would have access to a database of numbers, and the key to decrypt them.
A system of public and private keys is probably the best, but you could also generate a random key for each sale, and then include that key in the merchants email.
Look into the mysql AES_ENCRYPT function.
Do just like Ray suggested, create your cart using something like authorize.net for the gateway, then on the confirm page,locate the code for that gateway, and replace it with your own function. something like this pseudocode
create random key (maybe a 12 character long random string)
update tablename set cardNumber=AES_ENCRYPT(cardnum,randomkey) where id=cartID
(actually, its a good idea to encrypt all card data, like cvc code, and expiration date as well.)
Then in the email block, include that randomkey in the email, and in the admin, when they access the account, you can have them enter that key to decrypt the card number.
And as always, its a good idea to have a function that lets them delete the card data after they download it.
As another added layer of security, you could store only the card number in a table by itself (just the card number, and the autoincrement id for that table), and then include in the merchant email the id that ties the entry in the credit card table to the customer in the orders table.
The down side to this system, is that if the email doesnt make it to the merchant, then it is not possible to decrypt the card data.
Hope that helps.
Tom
