1. If the sensitive data you use can be deleted after use, do it. It is much better to ask users every time for their credit card information than to have it stolen in a breach.
2. When processing payments, always prefer the use of a payment gateway instead of storing such data in your servers. Check http://ecommerce-platforms.com/ecommerce-selling-advice/choose-payment-gateway-ecommerce-store for a review of the top providers.
3. If we have the need to store sensitive information, the first protection we must
   give to it is to encrypt it using a strong encryption algorithm with the corresponding strong keys adequately stored. Some recommended algorithms are Twofish, AES, and RSA.
4. Passwords should be stored in database hashes using one-way hashing functions, such as bcrypt, scrypt, or SHA-2.

5. Ensure that all sensitive documents are only accessible by authorized users; don't store them in the web server's document root, but in an external directory, and access them through programming. If, for some reason, it is necessary to have sensitive documents inside the server's document root, use a .htaccess file to prevent direct access:

Order deny,allow 
Deny from all 

6. Disable the caching of pages that contain sensitive data. For example, in Apache, we can disable the caching of PDF and PNG files by using the following settings in httpd.conf:

<FilesMatch ".(pdf|png)> 
FileETag None 
Header unset ETag 
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" 
Header set Pragma "no-cache" 
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT" 
</FilesMatch> 

7. Always use secure communication channels to transfer sensitive information, namely HTTPS with TLS or FTPS (FTP over SSH) if you allow the uploading of files.