Normally, I would say that you shouldn't store the password at all, but a hash of it. However, with only 10,000 possible passwords, there's not really much point — no amount of key stretching is going to stop an attacker from brute forcing a four-digit password if your database is compromised.
However, what you could do, at least, is to encrypt the password (combined with a random salt, so that two identical passwords don't map to the same ciphertext) with a key stored in some secure manner. Ideally, you should store the key in a hardware security module from which it cannot be extracted, and have the HSM take care of encrypting and verifying the passwords.
(The HSM should not allow decrypting a password, either; the only allowed queries should be "encrypt this password with a random salt" and "check if this password matches this encrypted string". If possible, the module should also feature some built-in rate limiting, so that even if an attacker manages to take over the server connected to the HSM, they still at least have to spend some time to crack all the passwords. Ideally, them module should also report the rate at which it is being queried, and the fraction of successful queries, to another, physically separate monitoring server.)
Anyway, if you're dealing with credit card data, it's likely that there are other fields in your database that also should be stored securely. Generally, there are quite detailed industry regulations and/or laws governing all this stuff — have you already checked which of them apply to you and what they say?