Compliance requirements for e-commerce, private companies 154



  • We are a small software development house doing a lot of web site development for small companies, particularly e-commerce. I’ve been told by those who claim to know that even though Sarb-Ox is aimed at publicly traded companies, there are data storage and retention issues for private companies as well when the data is stored on a ‘publicly available’ server, for example a web server.
    We need to avoid giving legal advice to our customers, but we would like to be able to intelligently advise them on when they need to talk to their attorneys about this, and have good rules of thumb for what not to do to trigger Sarb-Ox compliance requirements. For example, I’ve been told not to store customer’s credit cards in the database. True or not, what data items stored on web servers will trigger Sarb-Ox compliance requirements?



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This is not a SOX issue, but I can help a little. There are significant government and state regulations concerning records retention which vary from state to state. The storing of a customers credit card in full is typically a violation of their merchant contract with that particular CC company (i.e. visa, mc, disc, amex), not SOX. http://www.mastercardmerchant.com/images/industry_letter.pdf. SOX does not impact privately held companies, yet. Hope this has been of some help.



  • Thanks for clearing that up. Are there other forbidden items for storage? Such as billing address, 3 digit verification numbers, etc.?



  • Depends on each individual’s merchant contract, but typically you would not want to keep the full CC number with the expiration date or 3 digit verification numbers to assist in the prevention of CC fraud.



  • Hi Cassandra,
    Cassandra, in this instance I would disagree with you. If the software company store/process/transact any financial information FOR OR ON BEHALF of a listed company then the private company may be subject to one of hte following:

    1. Being audited by their clients
    2. They need to go and get a SAS 70 for their operations.
      I am currently on a client that has the same problem of outsourcing some of their IT functions to privately owned companies. Since they do not have SAS70 I am auditing their operations as well.
      i’d be interested in hearing your thoughts.
      Tristan.


  • Tristen,
    I was only going on the basis of a privately held company, but a SAS 70 only applies for companies who are publicly traded too. Most privately held companies do not even have the equivalent of the sas 70 since they are not required. You can ask them for some documentation as to their controls over procedures, and always pull your business if you don’t like their policies, but still, privately held companies are not governed by SOX which can be frustrating when you are trying to document controls. In the instances I have dealt with, predominately records retention sites such as Iron Mountain or safe site, I have personally documented their procedures as well as requested a letter from their management attesting to their controls in place.



  • Coincidentally, I just stumbled upon this today. This article from CFO is a little dated, but it seemed cogent to the discussion. It might provide some insight that helps clarify some of the SAS 70 implications.

    Hope that helps,
    Rick


Log in to reply