There are Perl modules available for building web services - e.g. http://www.soaplite.com/
. So you don't have to do it from scratch. Although I would question the wisdom of building a web-service in Perl to call a service written in cgi-perl; what exactly will this achieve for you?
As for security, yes passwords must be encrypted. You can do this in a number of ways. For example, encrypt the entire SOAP message using SSL. Or encrypt just the password programatically using an encryption api (e.g. java.security.*) and send the soap message as clear text.