I wouldn't really recommend password changes, or password strength requirements, as this will just cause more security issues down the road.
As far as storing their card, don't do it directly, but go with a token based processor, such as Quantum Vault or authorize.net or even stripe. Make them do the heavy lifting for you.
Adding to the above post though, let your users know somehow when they last logged in, what IP from. Why? If they don't recognize it, they'll contact you.
Make sure you store all logins for the customer. Time, date, ip, hostname. Why ? It'll make things much easier for you in the longrun.
Security questions are good, but don't make them too good. Remember, not everyone is married, dating someone, has a car, drives, has a pet. Stick with the basics, and allowing them to write their own question is always a good thing.
Tom Whiting, WHMCS Guru
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
+1 - 866-546-8914 / skype - admin_139201 / twitter/facebook - @whmcsguru