You can see every single bit of the conversation between the client and server and not be able to decrypt the session. This is public-key cryptography we're talking about. Well, I don't know what IwataS thinks he's talking about. I don't think he does either.
It's not impossible for your info to be captured, but it's extremely unlikely. Most credit card information thefts are either from people breaking into computers where a database of credit card info is stored or from actual people copying your number (waiters, clerks, etc.)
Don't worry about it. The good news is that even if someone does swipe your credit card info, you're liable for $50 at most and I've never used a bank that actually charged me that $50. If your credit card company notices it before you do, their fraud office will call, ask you about the charges, and remove the ones that aren't yours. If you notice before they do, you'll just have to call and dispute the charges. I like to imagine the next step is the credit card company dragging the thief into a dark room and going all casino-worker-catching-a-card-counter on them but I don't think it really works that way.
Of course, that's assuming you're really using a credit card. I'm not sure about the rules as far as debit card fraud goes. I don't use them thanks largely to the horror stories I've heard from the early days of debit cards. I'm sure they're worked things out now but it just leaves a bad taste in my mouth. That was certainly something you didn't want to be an early adopter on.
