Compliance Standards Roundup: Avoiding Common Website Woes
In 1993, Global Network Navigator became the first commercial website. Less than a year later, the CommerceNet consortium developed secure credit card transactions, and the future of e-commerce began to take shape.
Regulations were few and far between; government was struggling to keep pace as illicit websites sprang up, spam advertising emerged and the once-academic Internet became a consumer haven. Twenty years and hundreds of technological leaps later, enterprises and web hosts must comply with a number of Internet standards. Here's a quick primer on some of the most important.
Section 508 and the ADA
Section 508 of the Rehabilitation Act focuses on making websites easily accessible for users with disabilities. It is closely related to the Americans with Disabilities Act (ADA), which guarantees access to public services and places of public accommodation to all citizens.
Although the ADA doesn't specifically mention websites, several lawsuits have been filed against companies with web pages that are not ADA compliant. Section 508 challenges are also becoming more common as the amount of data hosted on sites grows exponentially.
To remain compliant with Section 508 and the ADA, the U.S. Department of Health and Human Services (HHS) released several checklists. Some of the highlights include:
- Ensuring that file names do not contain special characters
- Avoiding the use of flashing, flickering or animated text
- Using client-side rather than server-side image maps
- Making sure information is not conveyed using color alone
Simply put, websites must be designed to afford all users broad access.
The Health Insurance Portability and Accountability Act (HIPAA) contains a Security Rule that all covered entities — healthcare providers, health plans and clearinghouses — must follow. The rule includes a subsection on electronic protected health information, which specifies that all web pages hosting patient information must be properly secured. Many companies rely on secure socket layer (SSL) protection to achieve that security, but with recent OpenSSL and Heartbleed issues, many organizations have migrated information to new, insecure pages or have neglected to obtain new SSL certificates. Either of those actions could place a business in jeopardy of violating HIPPA.
Bottom line? Secure all web pages, deal with Heartbleed and other issues promptly, and always keep information encrypted, even on local networks.
PCI DSS 3.0
All companies running e-commerce websites must comply with the Payment Card Industry Data Security Standard (PCI DSS). On January 1, 2014, PCI DSS was upgraded to version 3.0, which requires companies to periodically conduct penetration testing on their payment card systems, inventory system components (hardware and software) regularly and document how vendors are using cardholder data. Version 3.1 requires companies to minimize the storage of cardholder data, develop a retention and destruction policy and limit storage time to its absolute minimum.
In 1994, the Dietary Supplement Health and Education Act (DSHEA) was signed into law. DSHEA separates the classification and regulation of prescription drugs and dietary supplements, which contain one or more ingredients, such as vitamins, minerals, herbs.
Supplement manufacturers must adhere to specific guidelines with regard to product labeling, including ingredients lists and assertions of nutritional support. Retailers must curate the information that appears on their website because unsubstantiated claims — even if they come directly from a manufacturer — can result in a warning or a sanction from the FDA.
Website compliance can seem overwhelming, owing to the large number of acts and standards currently in use, but most boil down to a single, salient point:
- Section 508: Accessibility
- HIPPA: Security
- PCI DSS: Accountability
- DSHEA: Accuracy