Modify your code, stop storing data such as: full credit card numbers, expiration dates and CVV codes. Purge the old records from your database. A minimal amount of data is necessary for charge-backs and refunds.
Segregate another your website such as forum, blog, an auction site from your main site. Move that stuff off to a seperate server and decrease your attack surface.
This is good system administration: run into breached sites running a 3 year old version of PHP or ColdFusion from 2007. The same thing goes for your web apps, Xcart, OSCommerce, ZenCart and any of the others all need to be patched regularly.
A penetration tester will run the tools that a hacker will run. It cost but they will identify the vulnerabilities in your site and a good one will guide you in correcting the problems. You could purchase roughly 2 years of penetration tests for the cost of having us on-site for a week to work a breach.
WAF is a really good start to a comprehensive approach. Modsecurity is free and supports all of the major web servers (IIS, Apache, Nginx). If it is installed properly it will stop traffic before it even makes it to your server.
There you have it!