March 14, 2016 By Christophe Veltsos 4 min read

On March 7, 2016, the U.S. Federal Trade Commission (FTC) announced that it ordered nine PCI companies to produce information “on how they conduct assessments of companies to measure their compliance with the Payment Card Industry Data Security Standards (PCI DSS).”

The accompanying Order to File a Special Report compelled the PCI companies to report on their policies, practices, budgets and handling of potential conflicts of interest between the PCI assessments and other services the companies might provide their clients (i.e., the auditing and consulting).

The nine companies targeted by the FTC are: Foresite MSP, LLC; Freed Maxick CPAs, P.C.; GuidePoint Security, LLC; Mandiant; NDB LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security, Inc.; and Verizon Enterprise Solutions (also known as CyberTrust). Each company has 45 days to comply from the order’s issuance, which is dated March 4, 2016.

Studying Compliance in PCI Companies

While the FTC’s press release stated that the collected information will be specifically used to study PCI DSS compliance, the specifications for what the PCI companies must report on will undoubtedly provide deep insights for the security services industry. Here is a partial list of the information, documents and items that the FTC wants, according to the official order:

  • Company information, including the corporate structure of any subsidiaries and affiliates;
  • A representative client contract for both a compliance assessment and for data security forensic audit services;
  • Any complaints/inquiries against the company or any of its assessors;
  • Number of compliance assessments and percentage of revenue from them;
  • Number of qualified security assessors (QSAs), their qualifications and ongoing training, and the training materials they use;
  • Number of cases where a client received a “compliant” or “in place” designation. Conversely, the number of cases receiving “noncompliant” or “not in place” designations;
  • Information about bidding, scoping, staffing, pricing, duration, sampling methodology, methodology and tools, communications, policies and procedures; and
  • Whether a PCI company also offers data security forensic audit services and the revenue attributable to such services, as well as the policies or procedures for handling potential conflicts of interest.

Ongoing Focus on Adequate Credit Card Security

The order was approved unanimously by all four FTC commissioners: Edith Ramirez, chairwoman; Julie Brill; Terrell McSweeny; and Maureen K. Ohlhausen. It comes three months after the settlement of two major cases related to organizations’ handling of credit card security.

FTC v. Wyndham

The first is the settlement reached with Wyndham on Dec. 9, 2015. The FTC sued Wyndham in 2012 “alleging that data security failures led to three breaches in less than two years.” Specifically, “hackers infiltrated the network of a Wyndham franchisee and then exploited lax security on Wyndham’s corporate network to grab sensitive consumer data from dozens of other Wyndham franchisees,” which resulted in “millions of dollars of fraudulent charges on consumers’ credit and debit cards.” The full case time line can be found on the FTC website

In part one of the proposed agreement, Wyndham must “establish a comprehensive information security program to protect cardholder data, including payment card numbers, names and expiration dates, and must conduct related annual information security audits every year for the next 20 years.”

In addition, in the second part of the settlement, the company must “get an annual independent assessment” under PCI DSS. However, the commission added specific language requesting that Wyndham “safeguards the connections with its franchisee hotels” as well as a requirement that the auditor be “truly independent.”

Documents officially part of the case include version 3.1 of the PCI DSS “Requirements and Security Assessment Procedures” as well as the “PCI DSS Risk Assessment Guidelines.” Clearly, the commission has already been looking closely into the meaning of PCI DSS compliance.

FTC v. LifeLock

The second settlement worth noting was between the FTC and LifeLock, Inc. on Dec. 17, 2015. “We believe the settlement in this case will provide important protection to consumers, both by providing $100 million of redress to affected consumers and maintaining strong injunctive provisions that require annual assessments and monitoring and prohibit LifeLock from misrepresenting the level of security provided to its customers,” the FTC wrote in its official statement. It also released the full case time line.

An important point to note is that one of the four commissioners dissented with the FTC’s allegations against LifeLock. In her dissent, Commissioner Maureen K. Ohlhausen noted that “reputable third parties certified that LifeLock complied with the industry-standard Payment Card Industry Data Security Standard (PCI DSS) and other data security standards.”

She also wrote that the “recent data breach settlement with Wyndham shows that the FTC considers PCI DSS certifications to be important evidence of reasonable data security.”

The Future of Compliance

Perhaps explaining the FTC special report order, the LifeLock settlement language included warnings for organizations’ oversight of credit card security.

“PCI DSS certification is insufficient in and of itself to establish the existence of reasonable security protections. The Wyndham order calls for a number of additional significant protections, including the implementation of risk assessments, certification of untrusted networks and certification of the assessor’s independence and freedom from conflicts of interest,” the FTC wrote. “In short, the existence of a PCI DSS certification is an important consideration in, but by no means the end of, our analysis of reasonable security.”

As Security Intelligence reported earlier, many federal agencies sent clear signals in 2015 about the importance of protecting the data entrusted to organizations. This move by the FTC is just the first step toward ensuring compliance with data security standards and laying a framework for best practices across industries.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today