1) You’re right to use a service to do the recurring payments for you so you don’t have to worry about security. Your biggest risk is that you could expose payment data to malicious individuals. Make secure storage of the credit card data somebody else’s problem.

2) Write really good tests. Don’t stop at unit tests, move up to integration, functional and behavioral tests. It’s not enough to test “testCardAccepted.” You also need tests like “Given my card was processed successfully and a year has passed and I have not canceled Then I should see one charge of 9.99 on the test card account.” and “Given my card was … and the expiration date is in the past and there is one month to renewal Then I should see an e-mail asking to update the card information.”

3) Do some analysis and design before you start. See if there’s a well established library you can use to do the recurring payments from your merchant. Understand the problem really well and get a sense of what might be problem areas. I can’t think of a good library, but check to see if the merchant has good quality sample code you can re-use.

4) Make sure you form an LLC or corp with its own, separate bank account for transactions with the merchant. Check to see if your local laws require you to carry a bond or other insurance, including business licensing.

that all the advice I have for you.

The fact that you use PayPal mitigates the risk from IT to legal and accounting departments. You don’t have to process payments in a secure way: PayPal does. You don’t have to safely store credit card numbers: PayPal does.

If something goes wrong, it’s up to the accounting department to discuss the issue with the client, having PayPal recordings as a proof. In the worst case, the customer will actually pay, but your web application will fail to record (or magically forget) that PayPal processed the payment. In this case, accountants could simply have an override, letting them to indicate to the web app that the payment was effectively done.