Members of the Web site Points.com can exchange their miles or points in select loyalty programs, such as American Airlines AAdvantage, for miles and points in other participating programs, use them to shop on eBay, or trade them for gift certificates at JCPenney and FTD.com.

"We model ourselves like a bank, and we need to be as secure as a bank," says Darlene Higbee Clarkin, CTO and vice president of IT at Points International, operator of the site. That provision extends to Digex , which hosts Points International's entire IT infrastructure.

The company is assured of Digex's approach to security because the hosting firm invites Ernst & Young  to audit annually the IT and business processes and procedures that affect its customers' business. The auditor details its findings in a document called a Statement of Auditing Standards (SAS) No. 70 report.

Developed by the American Institute of Certified Public Accountants (AICPA) and launched in 1992, the internationally recognized SAS 70 provide an independent verification of the descriptions of a service provider's control activities and processes.

"Being SAS 70 audited was the determining factor for us," Higbee Clarkin says of the decision to use Digex. "We feel confident that Digex has the processes and infrastructure that would protect us from potential compromise." The audit also gives Points International's partners peace of mind.

A SAS 70 audit is particularly useful for companies that outsource certain parts of their operations and need to undergo annual financial audits. They can show their auditor the SAS 70 report of their service suppliers so the auditor doesn't need to conduct its own audit of the provider's facility.

Generally, the controls or processes that are audited are those that protect customer data, and that usually includes the IT functions. Because of this, SAS 70 is generating a resurgence of interest from businesses that are required to meet new regulations designed to protect sensitive data.

Pamela Fusco, chief security officer and director of systems security at Digex, says customers request Digex's SAS 70 report to help them meet the requirements of such regulations as the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley financial reporting act and the Gramm-Leach-Bliley privacy act.