I agree with no_slogan, use RSA (or another public key system).

One thing I dont think will scale well is the use of a human to aprove the addition of new credit card customers.

What would you do if you've got a high transaction site with people wanting to spend their money right away? If you have a human aproving the credit card before use, you'll get too much lag and people will go elsewhere (I would).

I'm assuming you'll be doing this to protect yourself against fraud - what'll happen if a person gets their cc stolen, and needs to add another card? They'll have to "re-apply" and wait another period of time until their application is processed. IMHO I reckon you can automate all this. It will save lots of time and money. Check out www.amazon.com they do (at the front end) what I personally think is a good method of handling cc transactions.

Otherwise I think if you store the priv key "offline", perhaps on a private network somewhere behind your font end, and have a seperate machine to handle your ecommerce gateway (and only your ecomm machine can access your private key machine), you could be fine.

I havent had any real good commercial experience in ecommerce systems (yet), but the above sounds kinda logically secure - I wouldnt mind seeing what other people have to say.