First off, don't hire people you can't trust. Second, make sure that you
establish your concerns with your web developer. A lot of times when I'm working
with clients who have interesting payment methods, that banking info or banking
representatives are involved (many of times, those sites have to be PCI
compliant), I assure my client that I don't share their information with anyone
and even hand them education on keeping their information secure and further
steps to ensure, after working with me, to change any of their passwords to any
sensitive information.

Always have a contract (and even NDA, if you believe you should require it for
your project) if you are giving really sensitive information. Always make sure
the web developer provides a proposal that aside from scope, has policies on
what to expect from them, and what to expect from you, and what happens when
things may go sideways. Make sure to read and request to add anything where need
be, if security isn't mentioned.

Additionally make sure as part of scope, a secure solution is proposed, if your
site doesn't already have one in place. Lastly, if you have a payment gateway
that requires PCI compliance, make sure your developer knows how to do that.

You can restrict, that payment gateways should be finalized by you. Also, after
development stage, change all passwords, to panel, db, hosting etc. You can't
protect yourself in 100%, but those should be your first steps

Hire someone you can sue if need be, that’s my advice. Offshore and legally
unreachable is not a good idea for e-commerce sites.

I have business general liability and errors and omissions insurance because
large clients with real lawyers won’t do business with anyone who doesn’t, for a
reason.