Unless I misunderstood this, it affects you even if you only transfer the information to a 3rd party:
17.04: Every person that owns or licenses personal information about a resident of the
Commonwealth and electronically stores or transmits such information...
Also many online shops allow you to save the info in case you want to reuse it in the future.
If you're not storing the information, presumably you don't need to encrypt the data that you're not storing. You do need to encrypt it while transferring it (i.e. use https instead of http), but if you don't do this already, shame on you!
Similarly, if you're storing credit card numbers in plaintext in a database, shame on you! That's worse than storing plain-text passwords.
I think the worst parts of this law are the "you have to file with the Massachusetts government" aspects. The technical stuff is basically common-sense data security that everyone should already be doing.
17.04: Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information...
Also many online shops allow you to save the info in case you want to reuse it in the future.