What security measures should developers take when creating websites with sensitive information?

Take an average sized online-marketplace for example. It could handle thousands of transactions daily. What type of security should a developer use for such a website?

Aside from creating a secure login system and SSL certification, shouldn't there be multiple checks with regards to securing the actual files, the database, and any sensitive information like credit card details, etc?

I heard that pro hackers could get to your website root directory and mess up the files (can't quote the source tho). This may sound rather basic, but I hope someone could explain the fundamentals. Feel free to post other sources/articles if there is real info on this.