Any credit card page (or other sensitive info) should not only be protected (SSL or something equivalent) but forced to never cache.

Otherwise attacks become a piece of cake - believe me, organising attacks on web sites and servers is half my job, and it makes me laugh every time I see a wesite which allows such things.

Laugh in a sad way...