To retrieve a csv file via https, if it's in your web tree you just type the URL. Make sure the directory is password protected via a .htaccess file (most web servers) or via NT permissions (IIS/etc).
Now, if you have the orders coming to you via CSV, you can still get the email without the credit card number.
That way you get the notification and still get the credit card. Just set the mode to BOTH in the checkout.pl file, and add fields for your credit card to the CSV file write (line 487 of checkout.pl or so).
To setup secure email, check with your provider. AT&T only does it that way, and several webmail providers work that way. In your mail program you may have an option like 'Receive mail using SSL' or 'Use POP3S for secure mail download' or 'use TLS for secure mail download'. Any one of those will work. Many ISPs are supporting this now.