It’s possible (not necessarily likely) that a developer may write a code to scrape your website and database for the site’s user data (names, addresses, credit card data). It’s less likely that they’ll be able to steal money from the site, though. The reason is because your payment gateway handles the transaction on their servers, not yours. So, you won’t have to worry about malicious code on their end.
So, what can you do to protect yourself (and your visitors)?
1. Limit access to your payment gateway.
If you use PayPal or Authorize.net, don’t give the developers your login credentials. Instead, you may elect to create a limited account for them to use, then disable the account after the work is complete. Alternatively, you may log in and set up a webex session so you have visibility into what they’re doing.
2. Diversify and compartmentalize your development.
You may benefit from using two separate development teams. The first to write the code, and the second to review it.
Using tools like GitHub may help by allowing you to employee a separate team of developers to review the code for malicious intent before committing it to the live site. Bear in mind that this can be costly and extend the development time of a feature.
3. Develop a long working relationship with a trusted developer.
A lasting relationship goes a long way. If you are concerned with trust, ask the web development agency or person for referrals. Verify testimonials, look for reviews, and ask about their security policies.