We are in the process of creating a web application for customers to order a debit card. Is there a regulation that requires a customer signature for a new debit card (not reorder)? Does the same hold true for business debit cards?

Reg E allows for you to issue a debit card to a customer based on an oral request.

Sec. 205.5 Issuance of access devices.

(a) Solicited issuance. Except as provided in paragraph (b) of this section, a financial institution may issue an access device to a consumer only:

(1) In response to an oral or written request for the device; or

(2) As a renewal of, or in substitution for, an accepted access device whether issued by the institution or a successor.

There is no requirement of which I am aware from VISA or MasterCard requiring the application bear a customer signature.

Make sure you do a risk assessment for your ID Theft program and have controls in place to identify reg flags such as recent address changes just before a card is requested on your web application.

I see the biggest risk in knowing who you sent your card to, that it was sent unactivated, and to understand what is required to activate it.

As Crowman noted, signatures are up to you. If you require them in the branch, ask why. If it is a necessity, how will you mitigate the risks online of having only an e-request? If logon credentials to your IB site are needed, you have some assurance of your customer's ID. If these are new accounts, I'm interested in hearing about your CIP and risk mitigation methods too.