I am developing a web site for a company that will sell items through the site. They will provide the bank account and credit card handler account (terminology?) to which the site will link for processing payments. We will not store purchaser's account info in our databases - just name, address, etc.

The client is worried about someone being able to drain funds from his bank account through the web site and wants me to be bonded for this reason. How real is the concern? Could someone gain access to his account in this manner? If so, how can I protect against it? I have had someone try to post a fraudulent purchase against my PayPal account (those were all resolved in my favor) but that account is set up to make payments from, whereas the account in the current case could be set up to not allow payments to be drawn.

Any related advice would be greatly appreciated!