I read that the FTC ordered nine companies to produce PCI DSS compliance assessments for FTC review, but I didn't...
think the FTC was involved with PCI DSS. Why is the FTC doing this? What's its interest in PCI assessments? Should organizations be concerned?
The Federal Trade Commission issued orders to nine firms who conduct PCI DSS compliance assessments on behalf of other firms demanding they produce information about their PCI assessment process and results. This is quite interesting due to the status of PCI DSS as a nongovernmental regulation. In their order, the FTC commissioners explain this unusual action:
"The Commission is seeking insight into data security compliance auditing and its role in protecting consumers' information and privacy. The Special Report will assist the Commission in compiling a study of such auditors and their policies, practices, and procedures."
Each of the nine companies targeted by this order is asked to provide details on the nature of the PCI assessments they perform each year and the revenue they glean from assessments. The true data they seek may be buried in the details of the order where the FTC demands that firms report the number of times their assessments result in a report of noncompliance. They also demand that firms:
"State whether the Company ever identifies deficiencies in a client's network during a Compliance Assessment and gives the client the opportunity to remediate the deficiency before the Company completes its final ROC."
Reading the tea leaves on this, it seems likely that the FTC is preparing to dig into the PCI assessments process. It remains to be seen what, if any, action they will take as a result of their investigation, but compliance professionals should monitor the situation closely.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out the effects of the FTC controlling cybersecurity regulations
Discover how small businesses can ease the PCI compliance burden
Learn who should perform compliance assessments for HIPAA
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading