• Have at least one other person look over your code. It's easy not to notice problems in your own code, that stand out to others.
• See if any existing well known authentication systems fit, before re-inventing the wheel. Odds are they've been looked over quite well over time.
• Keep it as simple as possible. Think any special security features through. It's not uncommon to add a feature meant to increase security, that actually makes it worse.
• Obviously keep everything patched, but attempts at password stealing/sharing/brute forcing is more common than attempts to hack into a pay site. (at least the ones I've worked with)

Hope this helps.

Update: All the above advice assumes you're using a 3rd party processor, so you only have to deal with authentication, not actual credit card/payment data.