Email can be made secure but I believe it is probably more difficult than doing it in a limited access DB with a site under SSL/HTTPS. Plus it initiates a situation where an end user can accidentally broadcast sensitive data with a careless forward/CC or an Outlook virus or whatever. I'd say steer completely away from email and encourage your customer(s) to think the same. Consider any bank or serious online store you've ever visited. There is not one that would send any of this stuff that way.

I don't mean to be discouraging either. I think it's possible to do this right. Just be very careful and please seek a project review as grep and I suggested before you flip anything live. You could theoretically do something like a hacker prize too. Offer $250-500(?) to anyone who can get a dummy account -- and explain how s/he did it -- out of a test deployment of your code.

I endorse the amendment ig gives below: an earlier review is a better idea. As for frameworks: none I know but I'll bet there are some options. I've worked within an established codebase taking cards and SSNs (and it was chillingly insecure). I never had to do one from scratch and even after a decade of CGI/web-apps I'd still be nervous, extremely cautious, and thorough.