We didn’t address any performance specific issues, calls all come into the app (middle man) which uses .net and the requests are handled by .net appropriately each call is made with a SingleTon so a single Session is in use for the whole app and we are using the Web Service License.
For customers we used their Contact Record and UD fields to store Username and Hashed Passwords
Credit-cards we are going to handle via EPX and their PayEasy module (We are already using Epicor Payment Exchange)