On March 7, 2016, the U.S. Federal Trade Commission (FTC) announced that it ordered nine PCI companies to produce information “on how they conduct assessments of companies to measure their compliance with the Payment Card Industry Data Security Standards (PCI DSS).”

The accompanying Order to File a Special Report compelled the PCI companies to report on their policies, practices, budgets and handling of potential conflicts of interest between the PCI assessments and other services the companies might provide their clients (i.e., the auditing and consulting).

The nine companies targeted by the FTC are: Foresite MSP, LLC; Freed Maxick CPAs, P.C.; GuidePoint Security, LLC; Mandiant; NDB LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security, Inc.; and Verizon Enterprise Solutions (also known as CyberTrust). Each company has 45 days to comply from the order’s issuance, which is dated March 4, 2016.

Studying Compliance in PCI Companies

While the FTC’s press release stated that the collected information will be specifically used to study PCI DSS compliance, the specifications for what the PCI companies must report on will undoubtedly provide deep insights for the security services industry. Here is a partial list of the information, documents and items that the FTC wants, according to the official order:

  • Company information, including the corporate structure of any subsidiaries and affiliates;
  • A representative client contract for both a compliance assessment and for data security forensic audit services;
  • Any complaints/inquiries against the company or any of its assessors;
  • Number of compliance assessments and percentage of revenue from them;
  • Number of qualified security assessors (QSAs), their qualifications and ongoing training, and the training materials they use;
  • Number of cases where a client received a “compliant” or “in place” designation. Conversely, the number of cases receiving “noncompliant” or “not in place” designations;
  • Information about bidding, scoping, staffing, pricing, duration, sampling methodology, methodology and tools, communications, policies and procedures; and
  • Whether a PCI company also offers data security forensic audit services and the revenue attributable to such services, as well as the policies or procedures for handling potential conflicts of interest.

Ongoing Focus on Adequate Credit Card Security

The order was approved unanimously by all four FTC commissioners: Edith Ramirez, chairwoman; Julie Brill; Terrell McSweeny; and Maureen K. Ohlhausen. It comes three months after the settlement of two major cases related to organizations’ handling of credit card security.

FTC v. Wyndham

The first is the settlement reached with Wyndham on Dec. 9, 2015. The FTC sued Wyndham in 2012 “alleging that data security failures led to three breaches in less than two years.” Specifically, “hackers infiltrated the network of a Wyndham franchisee and then exploited lax security on Wyndham’s corporate network to grab sensitive consumer data from dozens of other Wyndham franchisees,” which resulted in “millions of dollars of fraudulent charges on consumers’ credit and debit cards.” The full case time line can be found on the FTC website

In part one of the proposed agreement, Wyndham must “establish a comprehensive information security program to protect cardholder data, including payment card numbers, names and expiration dates, and must conduct related annual information security audits every year for the next 20 years.”

In addition, in the second part of the settlement, the company must “get an annual independent assessment” under PCI DSS. However, the commission added specific language requesting that Wyndham “safeguards the connections with its franchisee hotels” as well as a requirement that the auditor be “truly independent.”

Documents officially part of the case include version 3.1 of the PCI DSS “Requirements and Security Assessment Procedures” as well as the “PCI DSS Risk Assessment Guidelines.” Clearly, the commission has already been looking closely into the meaning of PCI DSS compliance.

FTC v. LifeLock

The second settlement worth noting was between the FTC and LifeLock, Inc. on Dec. 17, 2015. “We believe the settlement in this case will provide important protection to consumers, both by providing $100 million of redress to affected consumers and maintaining strong injunctive provisions that require annual assessments and monitoring and prohibit LifeLock from misrepresenting the level of security provided to its customers,” the FTC wrote in its official statement. It also released the full case time line.

An important point to note is that one of the four commissioners dissented with the FTC’s allegations against LifeLock. In her dissent, Commissioner Maureen K. Ohlhausen noted that “reputable third parties certified that LifeLock complied with the industry-standard Payment Card Industry Data Security Standard (PCI DSS) and other data security standards.”

She also wrote that the “recent data breach settlement with Wyndham shows that the FTC considers PCI DSS certifications to be important evidence of reasonable data security.”

The Future of Compliance

Perhaps explaining the FTC special report order, the LifeLock settlement language included warnings for organizations’ oversight of credit card security.

“PCI DSS certification is insufficient in and of itself to establish the existence of reasonable security protections. The Wyndham order calls for a number of additional significant protections, including the implementation of risk assessments, certification of untrusted networks and certification of the assessor’s independence and freedom from conflicts of interest,” the FTC wrote. “In short, the existence of a PCI DSS certification is an important consideration in, but by no means the end of, our analysis of reasonable security.”

As Security Intelligence reported earlier, many federal agencies sent clear signals in 2015 about the importance of protecting the data entrusted to organizations. This move by the FTC is just the first step toward ensuring compliance with data security standards and laying a framework for best practices across industries.

More from Government

The Biden Administration’s 2023 Cybersecurity Strategy

4 min read - The Biden Administration recently introduced a new national cybersecurity strategy, expected to aggressively address an increasingly complex and dangerous threat landscape. Improving cybersecurity may not be the top priority for the Biden Administration, but it is an issue that the White House has been focused on since the earliest days of President Biden’s tenure. For example, in May 2021, Biden issued an executive order that emphasized sharing information about threats and modernizing cybersecurity across the federal government. In 2022, President…

4 min read

What’s Going Into NIST’s New Digital Identity Guidelines?

4 min read - One of this year’s biggest positive cybersecurity events comes from the National Institute of Standards and Technology (NIST). For the first time since 2017, NIST is updating its digital identity guidelines. These new guidelines will help set the course for best practices in handling digital identity for organizations across all sectors. What is Digital Identity? To grasp the update’s importance, it helps to understand the role of digital identity in an organization’s security posture. In its 2017 guidelines, NIST defines…

4 min read

Who Will Be the Next National Cyber Director?

4 min read - After Congress approved his nomination in 2021, Chris Inglis served as the first-ever National Cyber Director for the White House. Now, he plans to retire. So who’s next? As of this writing in January of 2023, there remains uncertainty around who will fill the role. However, the frontrunner is Kemba Walden, Acting Director of the National Cyber Director’s office. Walden is a former Microsoft executive who joined the National Cyber Director’s office in May. Before her appointment, Walden was the…

4 min read

How Much is the U.S. Investing in Cyber (And is it Enough)?

3 min read - It’s no secret that cyberattacks in the U.S. are increasing in frequency and sophistication. Since cyber crime impacts millions of businesses and individuals, many look to the government to see what it’s doing to anticipate, prevent and deal with these crimes. To gain perspective on what’s happening in this area, the U.S. government’s budget and spending plans for cyber is a great place to start. This article will explore how much the government is spending, where that money is going…

3 min read