Even if we presume that you have insufficient control over the web server configuration to ensure that CGI scripts will be executed instead of sending the source code...

...and even if we accept that you have to use CGI instead of a more modern web application architecture...

...and even if we ignore the fact that good encryption and payment processing systems remain secure even when the algorithms are fully public...

...this still isn't a problem if you're using good software development practices.

Good development practice calls for putting potentially-reusable code into modules, not the main program source file. So you're running something as a CGI script and the web server sends the source instead of running it, but the source of myapp.cgi consists of:

#!/usr/bin/perl
use MyApp::Main;
MyApp::Main->run();
[download]

So the bad guys saw that? Whoopty-freaking-do. The only thing it tells them is that your knowledge of CGI application development isn't stuck in 1997.

Good web application deployment practice also says that MyApp/Main.pm (i.e., the source of your MyApp::Main module) must not be placed under your web root (or any other web-shared directory), which ensures that there is no URL which maps to that file, thus making it impossible for a web user to access the source code of the module(s) used by your program. (Barring a serious exploit of the web server itself, of course.)