You need a signed certificate for https, which I don't know how to get since I've never had to do it myself. Probably shouldn't be too hard to search for that info though.
Then redirect all non-secure requests to https. You will also have to serve all content using https. I.e. you can't continue fetching for example images over http in secure pages. If you don't serve all your pages via https, you should fetch other resources accordingly since there is overhead for https.
Once your customers make requests over https, the information they provide you with is secured. When you talk to whomever handles your credit card payments, you'll need to make your requests to them secure in the same way. How you go about implementing it depends on the credit card transaction handler's API. But then again, they're not likely to allow you to send non-secure requests, so this should make no difference. On the other hand, if they do allow non-secure requests, you should get another transaction handler...
Apart from what's directly involved, you will of course need to protect yourself against all the normal stuff such as sql injection.
