Unfortunately, online payment remains a major area of Internet immaturity. Payment and data transfer security are allied problems. When buyer and seller meet physically to exchange money for goods, trust is less of an issue than when two entities deal blind online.
Though buyers - rightly - distrust online credit card payments, merchants suffer more from credit fraud. This is because most online payment is by credit or debit cards, and the payment protocols for these were originally intended for face to face sales where the cardholder and card are both physically present.
Physical presence offers security based on a customer signature and card imprint. But the merchant is almost always responsible for losses when sales are made on a 'Cardholder Not Present' basis even when the vendor has obtained authorisation from the card issuer.
There are two areas of concern: ensuring the privacy of data involved in the transaction to re-assure the buyer, and ensuring the buyer is engaged in a valid transaction - for the benefit of the seller.
The first is most easily solved using SSL (Secure Socket Layer) an encryption protocol built into current browsers and supported by most Web servers. Base Apache doesn't support it for patent reasons (RSA owns certain algorithms in the US) but Apache SSL does.
Using SSL once it's enabled is straightforward - simply change Web page references to https:// instead of http://, like so: