Compliance requirements for e-commerce, private companies 154
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This is not a SOX issue, but I can help a little. There are significant government and state regulations concerning records retention which vary from state to state. The storing of a customers credit card in full is typically a violation of their merchant contract with that particular CC company (i.e. visa, mc, disc, amex), not SOX. http://www.mastercardmerchant.com/images/industry_letter.pdf. SOX does not impact privately held companies, yet. Hope this has been of some help.
-
Thanks for clearing that up. Are there other forbidden items for storage? Such as billing address, 3 digit verification numbers, etc.?
-
Depends on each individual’s merchant contract, but typically you would not want to keep the full CC number with the expiration date or 3 digit verification numbers to assist in the prevention of CC fraud.
-
Hi Cassandra,
Cassandra, in this instance I would disagree with you. If the software company store/process/transact any financial information FOR OR ON BEHALF of a listed company then the private company may be subject to one of hte following:- Being audited by their clients
- They need to go and get a SAS 70 for their operations.
I am currently on a client that has the same problem of outsourcing some of their IT functions to privately owned companies. Since they do not have SAS70 I am auditing their operations as well.
i’d be interested in hearing your thoughts.
Tristan.
-
Tristen,
I was only going on the basis of a privately held company, but a SAS 70 only applies for companies who are publicly traded too. Most privately held companies do not even have the equivalent of the sas 70 since they are not required. You can ask them for some documentation as to their controls over procedures, and always pull your business if you don’t like their policies, but still, privately held companies are not governed by SOX which can be frustrating when you are trying to document controls. In the instances I have dealt with, predominately records retention sites such as Iron Mountain or safe site, I have personally documented their procedures as well as requested a letter from their management attesting to their controls in place.
-
Coincidentally, I just stumbled upon this today. This article from CFO is a little dated, but it seemed cogent to the discussion. It might provide some insight that helps clarify some of the SAS 70 implications.
Hope that helps,
Rick
-
Thanks Rick, I actually have a question to pose about the SAS 70. Who is required to perform one, or is this an option for a service company?
-
Take this with a grain of salt, as I’m no expert… but that’s never stopped me before. 8O Hopefully, I’m getting at the answer your seeking.
It is my understanding that SAS 70 applies when an auditor works on the financial statements of an organization that employs the services of another organization as part of its day-to-day operations, like an outsourced data center or call center. I’m not clear that the service provider’s status (public or private) comes into play. I do know that it’s not a standardized set of requirements. It seems to be a little more objective than that.
Hope that helps,
Rick