I'm no security expert, so I know exactly what fear you are describing. The most critical piece of information is the credit card number. This should be your focus. Never store it in it's entirety. Either encrypt the shit out of it, or break it up into obscure peices, store it in several chunks. The credit card merchant will have their own security and the charge will be taken care of through their API, so you don't need to worry so much there. And of course, always handle the buyer's info across a secure socket layer.

Again, I'm no expert. Maybe someone else here has some more experienced tips for you. Good luck.

try a few XSS attempts, whenever possible store sessions in the database, use strong encryption on user passwords/personal data (sha256, php's crypt function, or other blowfish alg.), use mod_security and/or apply the hardened patch .. your biggest concern and responsibility is protecting customer data ..there's a lot of solice in the fact that the code is not publicly available, if it were, you could expect exploits to be found.. given that it's not, it makes you a more "unlikely" target. nonetheless.. protect the customers.