Re: E-Commerce Compliance Requirements

[Jeffrey Walton <noloader () gmail com>]

On Fri, May 6, 2011 at 8:25 AM, Matthew Reed <mreed () cgx com> wrote:
> If you are taking credit card information, PCI will likely be the top priority.
You might also inquire into Sony's auditing firm to relieve you of
some of the regulatory and compliance burdens
(http://consumerist.com/2011/05/security-expert-sony-knew-its-software-was-obsolete-months-before-psn-breach.html).
They seem to be very accommodating.

> You also will have to investigate to find out if you are taking any PHI (Protected Health Information). While this is 
> not usually the case, many people do not account for it or understand what PHI is. Any data that links a person to 
> their physician, ailment or coverage is likely in scope for HIPAA. I have seen quite a few e-commerce solutions that 
> collect heath information, you will want to confirm that is not in your scope. If it is, you will need to learn about 
> HIPAA.
>
> If the company is publicly traded and the e-commerce revenue is considered direct billing, then this may likely be 
> considered an accounting application and SOX (Sarbanes-Oxley) would come into play as well.
>
>
> Matthew Reed, GSEC, GCIH, CHPSE
>
>
> [SNIP]

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------