I do software engineering and security for a living, and I hope the person you have working with you puts this as a priority..
Amen, brother! Preach on.
Now, I'm gonna reopen those tags again for a moment to testify.
<threadjack><rant><soapbox>
K-vette, towards the point of credit card security Insanity was speaking on, let me introduce you to the
PCI Data Security Standards that every individual/organization who wants to process credit cards must pass to avoid being held liable for security breaches.
Read through that wall of text for mandatory compliance standards yet? Have you seen the costs to get PCI certified just so you can take credit cards?
Now take a look at what happened to a couple retailers recently who pass PCI security audits and take their financial security seriously:
Target cyber breach hits 40 million payment cards at holiday peak1.1 million payment cards exposed to malware in Neiman Marcus hackUse Amazon or Paypal to process your payments.
Use OAUTH or another established authentication system for your account management. OAUTH2 has its own problems if it's not properly configured, but it's still a good site better than rolling your own.
Make sure your "technical co-founder" understands the importance of protecting and securing the SQL database (especially if you're using a framework like Wordpress, Joomla, Drupal, etc.), how to mitigate PHP injection attacks, and in general not suck when it comes to taking security seriously. If you don't do this, you will be a low-hanging target and you will betray the trust of your customers irreparably when things go sideways... and they
will go sideways if you're not serious about security.
</threadjack></rant></soapbox>