Most ecommerce applications will be subject to various legal, regulatory, contractual or other organizational mandates. These are likely to include requirements for data protection/privacy and payment card security. Some examples are:

An undocumented installed component has a vulnerability announced. The server hosting the ecommerce application makes an unapproved connection to another system. The fully outsourced payment form template is modified to include code from the merchant's server. Personal data relating to an individual is used for a purpose the individual has not consented to. An unauthorised change to configuration data such that some component/service is no longer configured adequately. Unapproved/insecure services/applications are installed/enabled. The terms of service, or privacy statement, are modified without approval. Personal data is inadvertently mixed with business contact data. A scheduled process is accidentally disabled so that quarterly data destruction is stopped, meaning the application no longer complies with the data retention and disposal policy. An unapproved change, or application compromise, could mean the ecommerce application is no longer in compliance, or that compliance reporting requirements change. For example, an ecommerce website might be eligible to assess and report under PCIDSS using Self Assessment Questionnaire (SAQ) A, but due to one of the above issues, the merchant no longer meets the eligibility requirements, and thus has to use controls in and report under the longer SAQ A-EP or full SAQ D.

Consider:

What could change that affects compliance? How will the application detect this? What is the incident response process for these?