FTC Serves Notice to PCI Auditors
A new notice to PCI DSS auditors may be an early sign that the FTC is taking a hard look at the effectiveness of the PCI data security standards and audit process.
It’s been a long time coming, but now the reckoning appears to be here for the companies that have made piles of money on the gravy train that is the PCI DSS audit. The Federal Trade Commission this week announced that it is going to take a hard look at the practices of these auditors and the results of the work that they’ve done.
The commission sent an order to nine companies involved in PCI compliance audits, including Verizon Enterprise Solutions, Mandiant, and PricewaterhouseCoopers, requiring them to submit a detailed Special Report that includes a long list of information on how they conduct their business. What the FTC is doing is unprecedented and is bound to cause some uncomfortable meetings and discussions in the next few weeks.
The ineffectiveness of PCI as a security standard has been the worst kept secret in the industry for more than a decade. Designed by the major payment card issuers as a set of controls to govern the way that companies who accept payments handle data, the standard has a core set of 12 basic requirements. It also includes a requirement that organizations undergo annual audits to check for compliance. Those audits are done by third parties, such as the ones the FTC sent its order to.
While the commission is interested in a variety of aspects of the auditors’ work, the specific areas that stand out in the order are the sections that ask for data on how often the companies find a client to be non-compliant in an audit and how many clients suffered a data breach in the year following a successful audit. That latter bit could prove to the most important piece of the entire thing.
“State the annual number of the Company’s Compliance Assessment clients that have suffered a Breach in the year following the Company’s completion of the Assessment for each year of the Applicable Time Period. For each such client, state whether it was subsequently determined not to be PCI compliant and provide the date of the initial Compliance Assessment and any communications between the Company and client or any third parties such as PCI SSC, a Payment Card Network, an Issuing Bank or an Acquiring Bank related to the Breach,” the order says.
Data breaches are an omnipresent threat for any company that holds valuable information, and payment card data is still at the top of that list. In the absence of a national data breach law, this move by the FTC is the strongest evidence yet that the federal government is tiring of the unending parade of breaches, nearly all of which include some note that the compromised firm was PCI-compliant at the time of the attack. There have been fines and penalties in some specific cases for breaches, but for the most part, enforcement and punishment has fallen to the states, if it happens at all.
But with the new interest from the FTC, things may be changing. The commission hasn’t yet said specifically what it plans to do with the data it collects from the auditors, other than to say that it “will be used to study the state of PCI DSS assessments.” The Special Reports are due back to the FTC by the middle of April, and it will be worth keeping an eye on what comes out of this operation.