Developing a secure website

I am developing a website that allows a user to view/enter their banking, credit card and other 'sensitive' information.

I am aware that I have to use HTTPS for communication, but over and above that, I am not sure on what else needs to be done.

I would ideally like to encrypt data sent between the client and the server, but I don't know if this is already done by using the HTTPs protocol.

Any ideas on where to get additional information on best practices for developing such a web application?

Additional info: I will be develop开发者_开发技巧ing/deploying this website using a LAMP stack.

1. Check whether you need to develop everything from scratch or if you can build upon an existing trusted shop or framework. There are so many parts one can do the wrong way (encryption, session management, payment, ...) when doing it from scratch.

2. The more important the data you want to handle the more requirements exist (see e.g. http://www.pcicomplianceguide.org, especially http://www.pcicomplianceguide.org/security-tips-20081030-web-application-security.php). You might have to talk with legal experts because it depends heavily on "what data" and how you process them in your workflow.

3. Take a look at http://www.owasp.org/index.php/Category:OWASP_Guide_Project - the The Open Web Application Security Project (OWASP) with lots of hints about important aspects of web security.

4. I hesitate recommending books like http://oreilly.com/catalog/9780596006709 - but you will probably own your own server and not rely on a shared hosting environment, so you'll have to harden your own server environment, too. SSL is not enough. You have to take care of file permissions, certification management, operating system updates etc.

Get your whole setup, code, storage, company certified by a trustworthy authority and make the fact that you're certified visible and verifyable on your site.