I don't know if you're already doing these things, but I'll just throw them out there and let you ignore them if you do.
Make sure you understand attack vectors and protect against them. XSS, SQL Injection, man-in-the-middle, etc. Make sure your passwords are salted and hashed.
Auditing. Can't emphasize this enough. Things will go wrong, and when they do, you need to be able to tell when, where, and why. In our case, we had shadow tables in our database where we logged changes, and then consolidated and exported that data into an auditing system. We could confirm that a user made X change at Y time from Z IP address.
Also, a bit of a newbie mistake that I see from time-to-time. Don't use double or float with money.
Better, use bcrypt:
Or if you really want to go pro, use Colin Percival's scrypt:
It's ballin'. Bcrypt by default, too.