Compliance testing is a form of testing performed to ensure a system or product meets specific regulations or legal requirements. While there are different types of compliance, they all have the common goal of protecting users, companies, and stakeholders.

Compliance Testing Guide

Types of Compliance 

508 Compliance

Section 508 is US legislation and is an amendment to the Rehabilitation Act of 1973. 508 compliance testing involves the inclusion of electronic systems for those with disabilities. The most commonly presented disabilities tested for are vision impairments such as color blindness, hearing impairments, sensitivities to flashing, and specific learning or physical disabilities. 

Examples:

  • If a user experiences color blindness, consider the importance of using color as a distinguishing factor on a web page. If the instructions read ‘Click the green button to stop,’ will the user be able to complete the task?
  • If a user is hard of hearing, using sound as a distinguishing factor can cause issues. If the instructions read ‘Type your name after the beep,’ would the user know when to type? Is there any other indicator provided?
  • Specific fonts can be hard to decipher for users with dyslexia. Making text clear and readable, such as using san serif fonts, is essential to enhancing the user experience.

PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) was initiated in 2006 to protect credit card users. It ensures that all companies that process, store, or transmit credit card data do so securely. PCI testing often includes penetration and other types of security testing across devices and networks. I once worked for a credit card processing company, and we audited our PCI compliance yearly. The process was very stressful, and I was often asked why I approved certain features. However, the seriousness of the task improved my sense of ownership of the product.

SOX Compliance

The Sarbanes-Oxley Act established in 2002 requires publicly traded companies in the USA or foreign-owned and publicly traded companies who vend with the USA to be held accountable for inaccuracies in accounting, whether intentionally fraudulent or accidental. The relevant information includes data given to shareholders, where accuracy is imperative to their decision-making. Another job I had was testing for SOX compliance. Audits, both internal and external, were ongoing.  

Industry Specific Compliance

Some industries like automobile, technology, medical, pharmaceutical, and food must adhere to compliance specific to their industries.

Automobile and Medical Compliance

Examples:

  • The automobile industry has strict safety guidelines they must meet. They test safety features like airbags, seatbelts, and braking to ensure driver and passenger safety.
  • The medical industry also has strict guidelines for testing medical devices. For instance, it’s critical that a person with diabetes who uses an insulin pump must be able to trust the device. Testing for accuracy and sensitivity in different conditions is necessary. But also consider reliability. Does the unit have a low battery warning or indicator? The medical field has strict guidelines and regulations from multiple agencies.
  • Along with its hardware testing, medical sites must also consider HIPAA compliance which protects users’ medical history.

Location Specific Compliance

When a website serves people within a particular location, it may be required to follow specific laws or policies. Below are a few examples.

California

  • CCPA – The California Consumer Privacy Act is a privacy law designed to protect the personally identifiable data of California residents.
  • CPRA – The California Privacy Rights Act comes into force in January 2023. It is an extension of the CCPA and adds that every website collecting data must be compliant. Previously it only pertained to sites that collected and sold the data.
  • CalOPPA – The California Online Privacy Protection Act declares that a website must reveal any third party that collects a user’s data.
  • Eraser Button Law – The Privacy Rights for California Minors in the Digital World Act (known as the Eraser Button Law) protects California minors. It enforces a rule that any site where a minor can create an account and post content must also present the option to remove the content at any time.

Europe

  • General Data Protection Regulation – GDPR protects users in Europe by enforcing a law for websites that offer goods and services by setting guidelines on what, how, and when data can be collected and used. 
  • EU Cookie Directive – The EU Cookie Directive, known as the Cookie Law, protects users within the EU by requiring sites to obtain consent from the user before collecting their data.

Canada

  • CPPA – Canada’s Consumer Privacy Protection Act protects the country’s data by compelling websites to be transparent on how their data will be collected and used.

How to Test for Compliance

Providing a high-quality product that benefits the user and the company is the shared goal for the many types of compliance and testing.

Test planning

The first step to compliance testing is test planning. Firstly, it is essential to have a complete understanding of the requirements. In addition, the tester needs to know the laws or regulations for the system they are testing. Finally, test planning is a great time to clear up any inconsistencies or questions about requirements before writing test cases.

It’s also likely that more questions will arise throughout the testing process, so it’s vital to establish a point of contact, someone who can clarify any ambiguities discovered along the way. 

Another essential part of test planning is understanding who the user will be. For example, are you testing for SOX compliance, and is the end-user a shareholder? If so, perhaps consider making a financial report that’s readable on their level. Or are you testing for 508 compliances on a website? If so, you will have several end-users and may need several test cases for each user. 

Test Execution

Execute your test cases in an environment as close as possible to production. You will need the same equipment and experience as your users. Never be afraid to ask for what you need. Compliance testing is critical, and it’s unfeasible to approve a system if it isn’t reasonably similar to what the end-user will experience. 

Test Analysis and Reporting

Since compliance testing often involves legal regulations, keeping records of testing and testing results is imperative. Traceability is vital because it will help the tester provide detailed information on test coverage. Discuss acceptance values during test planning. 

Defect management will be more important during compliance testing than other types of testing because a critical defect can be the difference between being compliant and not. In addition, mistakes can be costly and involve a reputation decline and legal ramifications. Therefore, a process should be in place for describing how to handle critical bugs and defects. 

Compliance Testing & Certification Tools

Website compliance is a vast topic with several subtypes. Due to its expansive nature, there are multiple tools available. Some of these tools help with the testing process, while others aid the certification process.

508 Compliance Tools

  • Color Oracle is a free testing tool. The tool boasts that it is the ‘best available algorithm for visualizing color vision impairment,’ which it does through simulating different types of color blindness. The product allows users to apply a full-screen color filter on their computers, and a links page lists other useful color impairment design tools.
  • ANDI is a free testing tool developed by the United States Social Security Administration. It is a browser extension for Chrome, Edge, Firefox, and Safari that detects accessibility issues and provides suggestions for improvement.

PCI Compliance Tools

  • SolarWinds offers a suite of products that provide audit trails for PCI-related events and file integrity monitoring. It is a paid service offering both basic and more advanced options and is priced per node monthly.
  • Comodo is a compliance certification tool and an approved scanning vendor that provides a PCI scan. It offers end-point and active breach protection. The website does not list prices, but you can request them along with a free demo.
  • SecurityMetrics is a PCI, GDPR, and HIPPA compliance certification tool that helps you achieve and maintain compliance. It has services that provide security audits and testing.

SOX Compliance Tools

  • SolarWinds, mentioned above, also offers products that provide customizable reports that create records of SOX compliance. 
  • AuditBoard is the leading cloud-based SOX compliance management tool. Pricing is unavailable on the website, but you can request pricing details and a free demo.

Tips for Compliance Testing 

  • One way to make compliance testing easier is to have a solid understanding of the regulations. A tester can acquire many types of certifications to strengthen their knowledge of a compliance type. 
  • Master the skill of documentation. As described above, documentation is more important than ever when practicing compliance testing. Having an excellent process for documenting and storing the test data can be a lifesaver down the road if questions arise.
  • Don’t be afraid of using tools. While there are many, and the selection process can seem overwhelming, the right tools improve the quality and time required for testing, making the payoff invaluable. Although learning a new program may take an hour, it will most likely save you multiple work hours.
  • Also, don’t be afraid to ask questions or get clarification. As a tester, when you test and approve something, you take ownership that the item is now in compliance. No one should expect you to sign your name on something unless you have the confidence to do so. 
Compliance Guide Tips

Conclusion

The process of compliance testing can be tedious and stressful due to its serious nature. However, being attentive is the right way to proceed because undiscovered issues can bring severe consequences. Despite the significance, compliance testing is satisfying because the tester can acquire personal ownership of a system within a company. Understanding the specific requirements or regulations is key to successful compliance testing.