For eCommerce applications I would definitely use sessions to store the state of the transaction. Whether you pass the session id using a http parameters or a cookie depends on whether you will be in a position to 'demand' site-compliance from your customers.
Furthermore, especially when forced to use plain cgi, I like to separate the entry, validation and processing into separate scripts with their respective templates. The validation script I usually create has no output of it's own, but redirects to either the form page (in case of problems) or the processing page (it it's all ok) after setting the appropriate 'validated' flag in the user's session store...
I would definitely read up on the HTTP protocol, and more specifically on GET/POST parameters and Cookies so you get more of a feel for the issues you'll be dealing with.
in reply to How do I write a CGI script with form validation?