Rome LLP

NewsStaying PCI Compliant While Operating An Online Business

Staying PCI Compliant While Operating An Online Business

In September 2006, the five major payment card brands established the Payment Card Industry Security Standards Council (PCI SSC) as a way to ensure the protection of cardholder data. The PCI SSC was formed to manage ever-changing PCI security standards and to improve payment account security throughout the transaction process. To advance these goals, the PCI SSC created a set of security standards applicable to any company or organization that accepts, stores, or transmits cardholder data. companies that accept, process, store or transmit credit card information maintain a secure environment. This set of security standards is referred to as the Payment Card Industry Data Security Standard (PCI DSS), and the following is intended to help your business remain PCI compliant.

Determine The Scope Of The Cardholder Data Environment

Each merchant should begin by recognizing any part of their payment processing systems that are connected to cardholder data. This includes internal processes regarding the flow or storage of cardholder data, the individuals handling and managing cardholder data, and any software or other technology that play a role in transmitting, storing, or authenticating cardholder data. This determination should me made annually, at a minimum, to ensure that no cardholder data exists outside of the proper scope of the cardholder data environment.

Assess The Compliance Of System Components

While the PCI SSI lays out the PCI DSS, each major payment card brand has their own compliance program. Once the scope of the cardholder data environment is defined, a merchant should assess whether they are meet their payment card brand’s standards for compliance, validation, and enforcement (accessible here: American Express, Discover, MasterCard, Visa, JCB International).

Some merchants may be required to submit a Report on Compliance (ROC) to their credit card brand or acquiring bank, while others may take advantage of applicable Self-Assessment Questionnaires (SAQs) to help them assess and validate their own PCI DSS compliance. Specific SAQs apply to specific merchant environments, but the general idea of an SAQ is to provide a series of yes-or-no questions for each PCI DSS requirement. Ideally, the answer is “yes” (meaning in compliance) for every question, however a “no” answer may require the assessing merchant to state how and when they plan to remedy their non-compliance.

Testimonials And Expert Opinions

Providing consumer testimonials and expert opinions is a common practice for companies selling dietary supplements. However, businesses should be aware of the additional considerations brought forth by the use of testimonials and expert opinions online. Testimonials, like claims made about products, must be backed by adequate substantiation. Businesses must state the results that are generally expected to occur when a consumer takes a supplement they are selling, and they must indicate whether a consumer’s experience is expected to differ from the experience described in a testimonial. Vague disclaimers, such as “results may vary” are likely insufficient.

Should a business decide to present an expert’s endorsement, the business must ensure the expert providing the endorsement is appropriately qualified and has conducted sufficient testing and examination of the product beforehand. It is also important to note that connections between a business and their expert that affect the weight or credibility of the expert’s opinion, such as the existence of a personal or financial relationship, must be disclosed to consumers alongside the presentation of the expert’s opinion.