The fact that the site uses SSL is irrelevant. Most hackers will most likely have an SSL capable browser, thus if you have, for example:
The hacker can simply visit https://secure.yourdomain.com/credit_cards.txt
and view the goods. The only difference here is that another hacker won't be able to intercept the data while it is being transfered to the first hacker - they will have to visit the above URL all on their own via their own Secure connection
This is of course assuming they can find a way to find out where this file is and what it's called, but if (for example) you are using a freely available (or commercially available) shopping cart that does this, anyone can quickly find out where it stores its info at. Think of all the UBB exploits... wouldn't be any different if the UBB were SSL...
To summarize: SSL alone is not nearly enough. That protects the data during one step
of a process that can include many steps. There is still the matter of storing the data, retrieving/processing the data, and so on...