The International Traffic in Arms Regulations (ITAR) control how weapons on the United States Munitions List (USML) are sold and distributed. If your online store lands anywhere in the supply chain of organizations selling USML devices, you’ll likely need your store to be ITAR compliant. Luckily, ITAR compliance relies on strong information security best practices that can help protect sensitive customer information and make sure your store is compliant with other regulations, like those set out by the PCI DSS.

Who needs to be ITAR compliant?

If you sell any items on the USML or act as a military contractor, your online store must be ITAR compliant. Even stores that produce parts used to build USML items should consider ITAR compliance in order to ensure their data is secure.

To be more specific, ITAR covers any organization that shares data with the US Military. If you fall in that category, ITAR compliance is a critical component of your business.

Why do you need to be ITAR compliant?

The selling or export of weapons or military data is extremely sensitive. Online stores that fall under the purview of ITAR and don’t comply risk serious legal consequences.

Generally, data protection along the lines of what ITAR suggests is crucial for any ecommerce business that cares about the private information of its customers. Any payment information that runs through your system should already be protected as part of PCI compliance, so it should be a short journey from there to become ITAR compliant.

There’s no actual certification for ITAR compliance. All you need to do is make sure certain best practices are integrated into your online store’s security framework.

How do you make sure your online store is ITAR compliant?

ITAR compliance is built on strong security practices. Here are a few areas online stores can focus on in order to achieve compliance.

• Create clear guidelines and safeguards for access control, only offering access to certain types of data to employees who need it for legitimate business purposes.
• Organize data types into prioritization buckets for security. Classifying your data can help define your access control program.
• Use encryption, SSL, firewalls, and other network and transmission security protocols that can help protect customer data from prying eyes.
• Develop a security policy outlining all of the things your organization is doing to stay compliant and guiding employees in how they treat customer data.
• Create a plan for dealing with a data breach, including how you’ll communicate to customers and a plan to get your security systems up and running again.