I have never heard of a case of a credit card number stolen by interception over the internet; likewise, I’ve never heard of a case of a credit card number obtained by tapping a phone line. It’s just too hard for someone.
This is my semi-knowledgable take on it (semi because I worked at an ISP and know generally about it, but I’m not a security expert).
When you have a secure connection on a web page, it means that your browser is not dealing with a regular web server, to which requests are sent and responses received. Your browser has received a web page that’s been routed through a security layer that encrypts the page, to be decrypted by your browser. Likewise, when you hit submit, your browser encrypts the form data and sends it back through the layer, which decrypts it. The protocol is called SSL, for Secure Socket Layer.
Intercepting anything in transmission over the Internet is, from what I understand, nearly impossible. Anything sent is broken up into packets (or datagrams) that are measured in bytes. Each packet is addressed; routers send each packet on its way to the next stop. It’s like mailing someone a book, a page at a time. Every letter has the same address, but they’ll all take slightly different routes through the mail system, and collecting all of them in midstream would be difficult. On the Internet, where delivery can take as little as milliseconds, it’s impossible.
It would be possible for someone to listen in at several points along the line, though, and intercept your submission: at your ISP, where your data has been sent in a large gulp along one line; alternately, at the receiving end, where it’s all arriving. In that case, it’s encrypted, and someone would need some serious equipment and knowhow to decrypt it to get your card number.
That you have a secure connection does not mean that no one is hacking into their system. It means your browser will send whatever you submit (and whatever is returned to you) through a layer of encryption while it’s “in the open” on the Internet. Opening a second, nonsecure browser window is irrelevent: your secure ordering page is still targeting the secured recipient. Keep in mind that ‘connection’ is a misnomer. You don’t have a connection the way you have a connection for a phone call, where a line is set aside for your use for the duration of your chat. ‘Connection’ is the metaphor in use to indicate the mutual, programmed agreement between your browser and the secure server to use the security protocol that they’re both programmed to handle.
Amazon.com was a poor choice of example: they were hacked several months ago, and someone made off with credit card numbers that got used. In that case, people found otu what a bad idea it is to use debit cards for Internet purchases: on a credit card, a charge can be reversed; with a debit card, the money is simply gone from your account.
I wouldn’t worry about secure or insecure connections. Just like reading your credit card number to a customer service representative over the phone, you have more to worry about with the company taking the information, than with how it gets to them.