in reply to collecting sensitive data

I'm going to join others that have not directly answered your "how to get sensistive data to the client" question and add another general resource. For that I apologize, but hope this helps.

OWASP is an organization with general info on writing secure web applications. It's fairly java-centric, but all the principles apply well enough. In particular, look at their Top Ten list of web application security flaws. Remember that the whole application has to be secure, not just the part that has to do with sensitive data.

#my sig used to say 'I humbly seek wisdom. '. Now it says:
use strict;
use warnings;
I humbly seek wisdom.