If you're not storing the information, presumably you don't need to encrypt the data that you're not storing. You do need to encrypt it while transferring it (i.e. use https instead of http), but if you don't do this already, shame on you!
Similarly, if you're storing credit card numbers in plaintext in a database, shame on you! That's worse than storing plain-text passwords.
I think the worst parts of this law are the "you have to file with the Massachusetts government" aspects. The technical stuff is basically common-sense data security that everyone should already be doing.
