There are really a lot of ways to answer this...
I assume their PHP app will be communicating to your WCF server with SOAP?
So, WCF has 2 ways of securing things, at the Transport level or at the Message level.
Basically if you turn on Transport level security, then it encrypts the entire connection. This means it would use HTTPS. This would in turn mean that the entire conversation is encrypted, just like if you were sending your credit card info to a web site in a web form. Its equally as secure. The alternative is Message level security. This means that instead of encrypting the entire connection, the communication will happen over plain unencrypted HTTP, but the actual message itself will be encrypted before being transmitted over the wire.
If your service is hosted in IIS, then the easiest thing to do is just use the BasicHttpBinding and turn on Transport security. Then in IIS, have it use an SSL certificate and HTTPS.
That would handle the message encryption. Past that, if you need to handle a 'login' as a username and password, WCF has a built in way to handle that. This might help: http://nirajrules.wordpress.com/2009/05/22/username-over-https-custombinding-with-wcf%E2%80%99s-channelfactory-interface/