I'm been programming in PHP for a few years now, but I'm just now encountering my first job where I need an to process credit card payments live - and I want to make sure I'm doing everything securely before making it public.

A) I'm using PHP, and the pages with info-gathering forms are on a SSL server. I check the HTTP_REFERER to make sure they arrived from a specefic URL, and that no query string variables were added.

B) Once the form (including CC info) is submitted, it goes to a verification page also on the SSL server. On this page, all their information is stored into PHP SESSION variables.

C) If the information is verified, the user is sent to a third page, where the information is pulled from the session variables and submitted to Authorize.net The result is read, and the proper output given. If everything went well, some info is stored in a DB (not CC info), and then the session is destroyed after printing a receipt.

My questions are:
1) Is EVERYTHING in an SSL connection encrypted? Session Variables? Form Values? Etc?

2) What is the best way to pass CC info? In A->B, it is passed by the form values. In B->C, it is passed through Session variables. Is one way better than another? I've read that sessions are more secure... but I'm not sure how to implement this in the A->B passing.

3) Any other security issues I should be aware of in this format of payment processing?

Thanks,
Sledgeweb