FTC Studying Practices of Nine PCI Companies

On March 7, 2016, the U.S. Federal Trade Commission (FTC) announced that it ordered nine PCI companies to produce information “on how they conduct assessments of companies to measure their compliance with the Payment Card Industry Data Security Standards (PCI DSS).”

The accompanying Order to File a Special Report compelled the PCI companies to report on their policies, practices, budgets and handling of potential conflicts of interest between the PCI assessments and other services the companies might provide their clients (i.e., the auditing and consulting).

The nine companies targeted by the FTC are: Foresite MSP, LLC; Freed Maxick CPAs, P.C.; GuidePoint Security, LLC; Mandiant; NDB LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security, Inc.; and Verizon Enterprise Solutions (also known as CyberTrust). Each company has 45 days to comply from the order’s issuance, which is dated March 4, 2016.

Studying Compliance in PCI Companies

While the FTC’s press release stated that the collected information will be specifically used to study PCI DSS compliance, the specifications for what the PCI companies must report on will undoubtedly provide deep insights for the security services industry. Here is a partial list of the information, documents and items that the FTC wants, according to the official order:

  • Company information, including the corporate structure of any subsidiaries and affiliates;
  • A representative client contract for both a compliance assessment and for data security forensic audit services;
  • Any complaints/inquiries against the company or any of its assessors;
  • Number of compliance assessments and percentage of revenue from them;
  • Number of qualified security assessors (QSAs), their qualifications and ongoing training, and the training materials they use;
  • Number of cases where a client received a “compliant” or “in place” designation. Conversely, the number of cases receiving “noncompliant” or “not in place” designations;
  • Information about bidding, scoping, staffing, pricing, duration, sampling methodology, methodology and tools, communications, policies and procedures; and
  • Whether a PCI company also offers data security forensic audit services and the revenue attributable to such services, as well as the policies or procedures for handling potential conflicts of interest.

Ongoing Focus on Adequate Credit Card Security

The order was approved unanimously by all four FTC commissioners: Edith Ramirez, chairwoman; Julie Brill; Terrell McSweeny; and Maureen K. Ohlhausen. It comes three months after the settlement of two major cases related to organizations’ handling of credit card security.

FTC v. Wyndham

The first is the settlement reached with Wyndham on Dec. 9, 2015. The FTC sued Wyndham in 2012 “alleging that data security failures led to three breaches in less than two years.” Specifically, “hackers infiltrated the network of a Wyndham franchisee and then exploited lax security on Wyndham’s corporate network to grab sensitive consumer data from dozens of other Wyndham franchisees,” which resulted in “millions of dollars of fraudulent charges on consumers’ credit and debit cards.” The full case time line can be found on the FTC website

In part one of the proposed agreement, Wyndham must “establish a comprehensive information security program to protect cardholder data, including payment card numbers, names and expiration dates, and must conduct related annual information security audits every year for the next 20 years.”

In addition, in the second part of the settlement, the company must “get an annual independent assessment” under PCI DSS. However, the commission added specific language requesting that Wyndham “safeguards the connections with its franchisee hotels” as well as a requirement that the auditor be “truly independent.”

Documents officially part of the case include version 3.1 of the PCI DSS “Requirements and Security Assessment Procedures” as well as the “PCI DSS Risk Assessment Guidelines.” Clearly, the commission has already been looking closely into the meaning of PCI DSS compliance.

FTC v. LifeLock

The second settlement worth noting was between the FTC and LifeLock, Inc. on Dec. 17, 2015. “We believe the settlement in this case will provide important protection to consumers, both by providing $100 million of redress to affected consumers and maintaining strong injunctive provisions that require annual assessments and monitoring and prohibit LifeLock from misrepresenting the level of security provided to its customers,” the FTC wrote in its official statement. It also released the full case time line.

An important point to note is that one of the four commissioners dissented with the FTC’s allegations against LifeLock. In her dissent, Commissioner Maureen K. Ohlhausen noted that “reputable third parties certified that LifeLock complied with the industry-standard Payment Card Industry Data Security Standard (PCI DSS) and other data security standards.”

She also wrote that the “recent data breach settlement with Wyndham shows that the FTC considers PCI DSS certifications to be important evidence of reasonable data security.”

The Future of Compliance

Perhaps explaining the FTC special report order, the LifeLock settlement language included warnings for organizations’ oversight of credit card security.

“PCI DSS certification is insufficient in and of itself to establish the existence of reasonable security protections. The Wyndham order calls for a number of additional significant protections, including the implementation of risk assessments, certification of untrusted networks and certification of the assessor’s independence and freedom from conflicts of interest,” the FTC wrote. “In short, the existence of a PCI DSS certification is an important consideration in, but by no means the end of, our analysis of reasonable security.”

As Security Intelligence reported earlier, many federal agencies sent clear signals in 2015 about the importance of protecting the data entrusted to organizations. This move by the FTC is just the first step toward ensuring compliance with data security standards and laying a framework for best practices across industries.

Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is an associate professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.