(by Marion Roger; from Hospitality Upgrade’s Summer/HITEC 2016 Issue)
On March 7, 2016, the U.S. Federal Trade Commission (FTC) issued orders to nine companies requiring them to provide the agency with information on how they conduct assessments of companies to measure their compliance with the Payment Card Industry Data Security Standards (PCI DSS).The accompanying Order to File a Special Report compelled these entities to report on their policies, practices, budgets and handling of potential conflicts of interest between the PCI assessments and other services the companies might provide their clients (i.e., auditing and consulting).
David Lincicum, an FTC attorney in the division of privacy and identity protection, is the lead attorney on the study and is also managing this review. "We go into this looking to get information, to get some details about what the interactions look like," he said, and added that there wasn't any specific incident that prompted the probe. "It's become clearer and clearer that PCI is playing a major role (in payments today),” he said. “We want to look all of the ecosystems of the assessment, who has a role in it, the general effectiveness of the assessments. We will see what we will see."
The firms in question had 45 days to comply. That period has come and gone and officially there has been no news about the status of this investigation. The full story about the investigation appears in the Summer/HITEC issue of Hospitality Upgrade (June 2016), but there are some tidbits worth adding to the story that were not known at press time.
According to several attorneys contacted for the story, while the FTC does not have "authority to enforce compliance with PCI DSS, a private-sector standard established and enforced by industry participants, the FTC does have broad authority under Section 6(b) to issue orders inquiring as to the organization, business, conduct, practices, management, and relation to other corporations, partnerships, and individuals (of the entities to whom the inquiry is addressed).” The Commission’s 6(b) authority also enables it to conduct wide-ranging studies that do not have a specific law enforcement purpose.
In the initial order, companies were required to provide copies of audits where the client was found to be out of compliance. There has been much discussion about whether counsel for the firms can push back on providing confidential information that could be harmful to their clients. Whether the pushback has taken place is unknown but sources point to a lot of legal maneuvering that will stall the investigation.
It turns out that the FTC probe will be examining, among other things, potentially excessive charges, inconsistency in enforcement, card brand influence and rampant conflicts of interest. That conflict-of-interest issue is all about the ability of qualified security assessors (QSA) to also sell to clients the software/hardware/services that they recommend as PCI-compliant. That is a very real and very unmistakable conflict of interest.
Another note: The FTC plans to explore the relationship between being declared PCI-compliant and the number of subsequent data breaches. A very old problem with PCI has been the card brand tendency to employ revisionist history to data breaches. No compliant merchant has ever been breached, they say, because when a compliant merchant has been breached, the assessment is re-evaluated and invariably removed. It's a classic 1984 theory. PCI works, so if any PCI-compliant merchant is breached, they couldn't have really been compliant. The problem there goes beyond it being a self-fulfilling prophecy. It stems from the flawed assumption that PCI compliance somehow equals that mythical perfect security – one that can't ever be defeated by a bad guy.
"Just because there was a breach doesn't mean that there was unreasonable security or a PCI violation," Lincicum said. And that is the crux of the investigation. The FTC is ultimately looking into whether merchants and consumers are all lulled into a false sense of security because a merchant is "compliant." If merchants are led to believe they are doing everything right and then are still breached, is there something wrong with the attribution of the label? Does that then make the entire process a deceptive practice? If both the merchant and the consumer are potentially deceived into believing things are okay when it is known that things are not, how fair is it to make a merchant pay for the full compliance approval process? If the entities know that the compliance label is actually useless, is it abusing its market position for profit?
The FTC is getting into this deeply and it is a story to watch closely as the year progresses.
Addendum: The spotlight just got a lot hotter! This week the National Retail Federation announced that it has asked the Federal Trade Commission to conduct an investigation into the PCI council and standards saying "the group’s controversial practices raise antitrust concerns." In a 19-page white paper submitted to the FTC, NRF said the card companies use their market power to “unfairly leverage their brands and proprietary technology through webs of closely controlled interdependent bodies and compliance regimes” including the council. While portrayed as voluntary, the Payment Card Industry Data Security Standard requirements set by the council are “forced upon businesses that cannot refuse to accept credit and debit cards.”
According to the NRF, the "council’s practices raise antitrust concerns” for a number of reasons, including “general antitrust dangers when competitors collaborate on setting market standards” and “more targeted concerns insofar as they allow the networks to leverage their proprietary technology.”
Translation? The FTC is going to be REALLY looking at the PCI council with even more focus than when the story was initially covered for the HITEC issue. Watch this space (and read the story in the June 2016 issue)!