The Payment Card Industry (credit-card issuers) have created their own set of regulations that e-commerce sites must follow if they're to continue processing credit card payments.  The regs are pretty good -- a 12-point checklist of areas that need to be covered.  For example, Do not use vendor default passwords on IT products and Uniquely authenticate each person accessing computer systems.  It's a great idea, but is yet another regulation that needs to be dealt with.