We do this all the time where I work. We use Crypt::OpenPGP to do the encryption server-side, then setup each person who needs to process a credit card with GnuPG (using a Win32 frontend called WinPT) and their own key for their e-mail address. You'll need to walk them through the key generation and how to do the decryption (just send a test order). Then give them a little lecture about how to keep the encryption keys secure.

1. Set up your secure server
2. Process your data
3. Encrypt your data (geez I'm a stats whore).
4. Mail it.

Update: Yikes! browser enabled encryption ... don't even try. You're better off doing it at the server. If the boss complains, start throwing words around like fiduciary responsibility.

Well my main reason for asking all of this to avoid packet sniffing. How would I get around packet sniffing if the user is sending over name/credit card/etc. intially when they are ordering something.

Web Security, Privacy & Commerce, 2nd Edition; and Secrets and Lies : Digital Security in a Networked World ( ISBN 0471453803 ). Stop now and read at least the later (which will hopefully explain that doing security correctly is hard even for those that have a clue what they're doing).

Secure servers are the *real* way to get around packet sniffing. There are some attempts to do client-side public key encryption via javascript (giyf) but I sure would hate to be on the QA team for something like that.
-derby

Using a secure server to capture the details and encrypt them will work for you, but then turning around and emailing the data over a plaintext wire protocol will undo some of that protection.

Is the recipient (boss) email address within your domain, hosted internally, along with your site? I.e., does that email message have to leave the (hopefully) protected confines of your network and venture out into the bad world?

Well, part of the problem is he doens't have the server set up yet. I've been developing the site on my local host server and he is waiting until I finish everything before he buys the server and sets all of that stuff up. And no, his e-mail is not within our domain and I don't think he would be willing to change because he uses his one e-mail right now for so many clients.

Thanks for the details. In that case, the email needs to be encrypted. See the many excellent answers already posted.