If the sensitive data you use can be deleted after use, do it. It is much better to ask users every time for their credit card information than to have it stolen in a breach.
If we have the need to store sensitive information, the first protection we must
give to it is to encrypt it using a strong encryption algorithm with the corresponding strong keys adequately stored. Some recommended algorithms are Twofish, AES, and RSA.
Passwords should be stored in database hashes using one-way hashing functions, such as bcrypt, scrypt, or SHA-2.
Ensure that all sensitive documents are only accessible by authorized users; don't store them in the web server's document root, but in an external directory, and access them through programming. If, for some reason, it is necessary to have sensitive documents inside the server's document root, use a .htaccess file to prevent direct access:
Order deny,allow
Deny from all
Disable the caching of pages that contain sensitive data. For example, in Apache, we can disable the caching of PDF and PNG files by using the following settings in httpd.conf:
<FilesMatch ".(pdf|png)>
FileETag None
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
</FilesMatch>
Always use secure communication channels to transfer sensitive information, namely HTTPS with TLS or FTPS (FTP over SSH) if you allow the uploading of files.