Some other general considerations:

• The nice thing about using a service like PayPal is you never have to receive or store a users credit card number. I would recommend building your system so you never know the users credit card number. If you never have it/store it, a hacker can't get it from you.
• If you are hosting things and you do receive any sensitive user data, you'll need to take care of some things in the server. Specifically, SSL should be enabled (https) so all data is encrypted.
• If you have multiple steps to your forms, make sure the forms use POST rather than GET, and don't store any sensitive information on subsequent forms using hidden fields or URLs with a query string.