The Federal Trade Commission has sent an order to nine of the larger companies that do PCI DSS assessments, demanding that the organizations turn over detailed information on how they conduct those audits, how often they actually declare a company non-compliant, and many other details.
The PCI standard was created by the major payment card issuers, including Visa, American Express, MasterCard, and Discover, as a way of assessing the security practices of organizations that process their payments. The first version of the standard came out in 2004 and it has evolved in the years since, but one of the things that’s always been part of it is an audit by an outside firm. The audit is supposed to determine the company’s compliance with the 12 requirements in the standard.
An entire industry has grown up around this audit requirement, with many small companies arising to get in on the action. But there are plenty of big firms in the game as well, including some of the larger consulting and security companies in the United States. The FTC on Monday said it has sent orders to nine of these companies, including Mandiant, PricewaterhouseCoopers, and Verizon Enterprise Solutions, requiring that they provide details of how they handle those assessments.
“The FTC is seeking details about the assessment process employed by the companies, including the ways assessors and companies they assess interact; copies of a limited set of example PCI DSS assessments, and information on additional services provided by the companies, including forensic audits,” the statement from the FTC says.
This is the first time the FTC has looked into the way that the PCI audit industry conducts its business, and it’s something that many in the security industry have said for years is necessary. One of the main criticisms of PCI has been that very few organizations that process payments ever fail an audit or is declared non-compliant. And the FTC has explicitly demanded in its order that the nine companies spell out how many companies they designated as non-compliant each year.
The FTC also is asking for highly detailed information on each firm’s auditing practices, the number of assessments it does each year, and much more. But there’s one specific paragraph that is perhaps the most interesting in the order. Many companies that have been victims of data breaches over the years have touted the fact that they were PCI compliant at the time of their breaches. This has not escaped the FTC’s notice.
“State the annual number of the Company’s Compliance Assessment clients that have suffered a Breach in the year following the Company’s completion of the Assessment for each year of the Applicable Time Period. For each such client, state whether it was subsequently determined not to be PCI compliant and provide the date of the initial Compliance Assessment and any communications between the Company and client or any third parties such as PCI SSC, a Payment Card Network, an Issuing Bank or an Acquiring Bank related to the Breach,” the order says.
The nine companies who received the FTC’s order have 45 days to respond.
Image from Flickr stream of Eli Pousson.