SSL wiring, as mentioned in Rex M, is certainly the first step. You should probably make a page on which they print their credit card number. This will give your users a green comfort url.
You must also enable protection against CSRF attacks. Use an anti-fake token.
In addition, you must use the PRG template (Post, Redirect, Get) to ensure that credit card numbers are not sent twice. After posting, don't just visualize another view, send a redirect so that their browser makes a GET against a different URL - perhaps on the confirmation page.
You will come across several specific ASP.NET MVC things:
If you have http pages and some https pages, how will you encode links to https pages from http pages. You can hardcode them, but you have to hardcode the domain and protocol. You can't just use <% = Html.ActionLink (... see this SO question for more details.
You need to make sure that you cannot hit your controllers when you are not using SSL. This will help you catch any errors and make sure no one is using http instead of https. See the [RequireSsl] attribute in the futures assembly. Here's a blog post about it from Adam Salvo
Lance fisher
source share