The web app has no control over what the browser does upon clicking the back button. Most of the times, the browser will re-display its cached version of the previous page, no matter what the cache settings are. That's just how the Back button works.
What problem does that present to your application? There may be ways to prevent any possible negative side effects.
I struggled with a pretty much identical case a while ago - I found no way of preventing the browser of caching a page and letting the user access it by clicking on the Back button, even after they had logged out. I was looking at the headers set by my Internet bank site and some webmails, until I realised it was the use of https that did the trick. I wasn't using https on my development machine, which caused the confusion. Since you're handling credit card info, I'd assume you'll be using https in production as well?