igor - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Why is the FTC interested in PCI assessments?

The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation driving this order.

I read that the FTC ordered nine companies to produce PCI DSS compliance assessments for FTC review, but I didn't...

think the FTC was involved with PCI DSS. Why is the FTC doing this? What's its interest in PCI assessments? Should organizations be concerned?

The Federal Trade Commission issued orders to nine firms who conduct PCI DSS compliance assessments on behalf of other firms demanding they produce information about their PCI assessment process and results. This is quite interesting due to the status of PCI DSS as a nongovernmental regulation. In their order, the FTC commissioners explain this unusual action:

"The Commission is seeking insight into data security compliance auditing and its role in protecting consumers' information and privacy. The Special Report will assist the Commission in compiling a study of such auditors and their policies, practices, and procedures."

Each of the nine companies targeted by this order is asked to provide details on the nature of the PCI assessments they perform each year and the revenue they glean from assessments. The true data they seek may be buried in the details of the order where the FTC demands that firms report the number of times their assessments result in a report of noncompliance. They also demand that firms:

"State whether the Company ever identifies deficiencies in a client's network during a Compliance Assessment and gives the client the opportunity to remediate the deficiency before the Company completes its final ROC."

Reading the tea leaves on this, it seems likely that the FTC is preparing to dig into the PCI assessments process. It remains to be seen what, if any, action they will take as a result of their investigation, but compliance professionals should monitor the situation closely.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out the effects of the FTC controlling cybersecurity regulations

Discover how small businesses can ease the PCI compliance burden

Learn who should perform compliance assessments for HIPAA

This was last published in August 2016

Dig Deeper on PCI Data Security Standard