FTC Investigates PCI Audits
The Federal Trade Commission is investigating the Payment Card Industry Data Security Standards (PCI DSS) audit process, issuing orders to nine companies to provide the agency with information on how they conduct assessments of companies to measure their PCI compliance. Legal experts suggest that the investigation could provide insight on how the FTC might seek to influence the audit process going forward.
PCI DSS audits are required by the major payment card companies of retailers and other businesses that process more than 1 million card transactions in a given year, and are intended to ensure that companies are providing adequate protection to consumers’ sensitive personal information.
The nine companies receiving orders from the FTC are: Foresite MSP LLC; Freed Maxick CPAs P.C.; GuidePoint Security LLC; Mandiant; NDB LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security Inc.; and Verizon Enterprise Solutions (also known as CyberTrust).
The FTC is seeking details about the assessment process employed by the companies, including the ways assessors and companies they assess interact; copies of a limited set of example PCI DSS assessments, and information on additional services provided by the companies, including forensic audits, according to the announcement. The FTC said it will use the data collected to study the state of PCI DSS assessments.
“The FTC’s request provides insight into the direction their investigation is likely to take with regard to the extent that businesses being assessed are involved in and possibly influencing the assessment process,” according to Ballard Spahr’s privacy and data security group and consumer financial services group. “Specifically, the orders ask each company to report:
- The company’s annual gross revenue and the amount of its annual gross revenue attributable to compliance assessments
- How many compliant and non-compliant designations each company gave during the applicable time period
- The bidding process by which the company competes for compliance assessments and the pricing structure for compliance assessments
- The extent to which the company communicates with clients during the compliance assessment and whether the company accepts input on the draft compliance report from the client
- Whether the company ever gives the client the opportunity to remediate any deficiencies that it finds before the compliance assessment is completed”
Ballard Spahr also points out that the FTC’s inquiry follows the CFPB’s first data security enforcement action, which included allegations that Dwolla Inc., despite making representations that it had implemented practices in compliance with the PCI DSS, failed to adopt and implement reasonable and appropriate data security policies and procedures. The FTC’s and CFPB’s recent interest in this area should serve as a reminder to companies to be vigilant about their compliance with industry standards such as PCI DSS, according to the law firm.