I have a form, with some sensitive info (CC numbers). My work flow is:

• One page to take all form items
• Upon submission, values are validated. If all is well, all data is stored in a session variable, and the page reloads and displays this info from the session variable.
• If everything is ok on the review page, the user clicks submit and the session variable is sent to another form for processing (sending payment).
• Upon success, the session is destroyed. Upon failure (bad CC number, for example) - the user is sent back to the form, with all of the fields filled in just like before, so that they can check for errors and try again (session is NOT destroyed).

Does anyone see anything wrong with this, from a security or best practices stand point?

UPDATE I'm thinking I can get rid of a step - storing the info in a session EVER. Just have a one page checkout, no review page... makes sense.