ON MARCH 7, 2016, THE FTC ANNOUNCED VIA PRESS RELEASE ITS PLANS TO STUDY CREDIT CARD INDUSTRY DATA SECURITY AUDITING.

The FTC formally issued an order to nine of the leading audit and compliancy attestation firms to provide the agency with the intimate details about how they conduct assessments to measure a business’ compliance with the Payment Card Industry Data Security Standard (PCI DSS). While it may have gotten notice by practice leaders of the PCI qualified security assessor companies (QSAC) how many in the hospitality industry caught the story? 

Two reasons to watch these events unfold are:

1. There are currently no U.S. laws regulating credit card security.  The FTC can and does take law enforcement action and has brought legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information. In addition to the FTC Act, the agency also enforces other federal laws relating to consumers’ privacy and security.

2. The Dec. 9, 2015, FTC v. Wyndham Settlement Order requires Wyndham to get an annual independent assessment under the Payment Card Industry Data Security Standard. The hotel group committed to the FTC provision that for the next 20 years an independent third-party auditor must certify that: Wyndham safeguards the connections with its franchisee hotels; Wyndham engages in a comprehensive risk assessment as laid out in the PCI-DSS risk assessment guidelines; and the auditor is truly independent from Wyndham.

There is a valid reason to invoke the Wyndham settlement when discussing this investigation.  The Wyndham pact contained a heightened level of specificity about what data security standards must be followed, and seemed to be an endorsement of PCI DSS. On the surface, that agreement appeared to show that the FTC considers PCI DSS certifications to be important “evidence of reasonable data security.” 

However, those following PCI compliance closely noted that simultaneously in 2015 the FTC sued LifeLock Inc. (and won a $100 million settlement) on allegations that LifeLock “violated” the 2010 data security FTC consent order (which is quite similar to the Wyndham agreement) by failing to maintain adequate data security “despite the fact that LifeLock maintained PCI DSS certification.”

This last part is a rather important tidbit, which, when put into context with the March 7th order, means the U.S. government, via the arm of the FTC, is openly questioning the very process by which the PCI DSS seal of approval is officially attributed and potentially questioning its actual utility. 

To make it even more compelling of a story, the FTC may use any information the agency gathers in a Section 6 investigation to take “enforcement action against industry participants.”  In other words, with the March 7 order, the FTC is openly investigating the entire sector and process of PCI compliance attribution and may as a result decide to intervene with recommendations, orders about their practices and/or even levy fines. 

This particular investigation is only the second time in history that the FTC has used Section 6 authority in the data protection context. (The FTC previously relied on Section 6 to investigate the data brokerage industry and, after the study, called on the data broker industry to improve the transparency of its practices as part of a Commission report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.”)

In the Privacy Report, the FTC set forth a voluntary framework of best practices for businesses based on the concepts of privacy by design, consumer control, and increased transparency for the collection and use of consumer data. 

Experts agree the agency’s current focus on PCI DSS compliance assessments is further evidence that the FTC’s interest in privacy and security is intensely focused, and is not just reactionary, as in the context of breach, but also preventive, in the realm of compliance.  The FTC is serious about actively exercising its fullest governmental authority to promote and enforce the security and privacy of consumers’ personal information across the widest possible scope.

While the commission is interested in a variety of aspects of the auditors’ work, a specific area that stands out in their order are the sections asking the auditors for data on how often they find a client to be non-compliant in an audit and how many clients suffered a data breach in the year following a successful audit. That latter bit could prove to the most important piece of the entire thing. 

Data breaches are an omnipresent threat for any company that holds valuable information, and payment card data is still at the top of that list. In the absence of a national data breach law, this move by the FTC is the strongest evidence yet that the federal government is tiring of the unending parade of breaches, nearly all of which include some note that the compromised firm “was PCI-compliant at the time of the attack.”

Many of the FTC’s requests for information are geared generally toward the degree of rigor in, and the efficacy of, PCI DSS assessments. The FTC asks about certifications and training required of the PCI DSS assessors, the time spent on a typical PCI DSS assessment, the number of assessments that found PCI DSS compliance, the number of assessments that designated clients as non-compliant, and the number of clients who suffered a data breach in the year following an assessment.  Several of the FTC’s questions, however, are at a level of detail that suggests the FTC has given a great deal of thought to what the agency may perceive as potential weaknesses in the PCI DSS certification process.

While the FTC announcement does not specify a motivation for the study or how its results might be used, the level of detail of the FTC’s questions and the depth of required responses drives home that the interest is more than a passing one. Companies required to maintain PCI DSS certification should be aware of the possibility that FTC involvement could lead to changes in the PCI DSS certification process, including a more stringent, and costly, assessment process.

When the FTC issued orders to provide information to nine data security auditors (see sidebar), those not mentioned are not off the hook. The FTC limited the investigation to only nine companies for strictly administrative reasons – a little known rule that allows it to fast track the process – apparently once exceeding nine entities there is a special act that must be invoked and getting the order out can take a longer time; those delays would have tipped off the industry of the investigation. This way it hit everyone with surprise. 

In fact, not only was it out of the blue but the FTC gave these nine firms only 45 days to provide indepth details about the assessment process they employed, including the ways assessors and companies they assess interact and information on additional services provided by the companies, including forensic audits.

The FTC specifically ordered each company to disclose its “data security compliance auditing and its role in protecting consumers’ information and privacy” and are closely scrutinizing the PCI compliance assessment process for DSS (Data Security Standards) and Forensic Audits. 

Each firm must file a special report containing information and documents in regards to data security compliance auditing. The FTC is transparent about one thing: the information will be used to study the state of PCI DSS assessments. 

Earlier the LifeLock case was mentioned. The December 2015 LifeLock agreement saw the FTC take $100 million from LifeLock – the largest monetary award ever obtained by the commission in an order enforcement action.

A BIG TAKEAWAY
Three of the FTC commissioners were on the record with statements that the injunctive relief it obtained in the Wyndham case was related to LifeLock. They were quoted as saying that case actually “corroborates our longstanding view that PCI DSS certification is insufficient in and of itself to establish the existence of reasonable data security protections.”

In the past, the FTC has issued warnings and fines to companies who have themselves ignored proper security practices, but has not directly stepped in for “not meeting PCI compliance standards.” This new investigation signals that the FTC is taking an interest in holding security auditors and security companies responsible for the accuracy and effectiveness of their services.

Many are wondering if the FTC’s action may lead to Federal laws regulating credit card data rather than the PCI Council dictating its rules to companies that process credit card information. Take it as a sign that government regulators might be waking up to the fact that completing a checklist audit has nothing to do with being secure against attack, and the FTC is probably going to step into the fray. WTF! (Why They're Freaking!)