FTC Launches Study Of Assessment Process For Payment Card Industry Data Security Standards

Author:Ms Heather Sussman, Douglas Meal, James S. DeGraw, Seth C. Harrington, David M. McIntosh, Mark P. Szpak, Michelle Visser, Paul D. Rubin, Marc P. Berger and David Cohen
Profession:Ropes & Gray LLP

On March 7, the FTC announced a study of Payment Card Industry Data Security Standard ("PCI DSS") assessments - the audits required of certain merchants pursuant to rules imposed by payment card brands such as Visa and MasterCard. As part of this study, the FTC issued orders to provide information to nine data security auditors.1 While the FTC announcement does not specify a motivation for the study or how its results might be used, the level of detail of the FTC's questions and the depth of required responses suggests that the FTC's interest in the PCI DSS is more than a passing one. Companies required to maintain PCI DSS certification should be aware of the possibility that FTC involvement could lead to changes in the PCI DSS certification process, including a more stringent, and costly, assessment process.

Many of the FTC's requests for information are geared generally toward the degree of rigor in, and the efficacy of, PCI DSS assessments. For example, the FTC asks about certifications and training required of the PCI DSS assessors, the time spent on a typical PCI DSS assessment, the number of assessments that found PCI DSS compliance, the number of assessments that designated clients as non-compliant, and the number of clients who suffered a data breach in the year following an assessment. Several of the FTC's questions, however, are at a level of detail that suggests the FTC has given a great deal of thought to what the agency may perceive as potential weaknesses in the PCI DSS certification process. In particular, the FTC directs questions toward assessment scope,2 sampling procedures, reliance on employee interviews, and compensating controls.3 The theme of potential conflicts of interest also comes up repeatedly. The FTC asks directly about policies regarding conflicts of interest both for standard PCI DSS assessments and for forensic audits performed after a data breach, and asks several more specific questions related to the independence of assessors. For example, the FTC asks whether clients have input into the drafting of assessment reports, the extent to which a client has input into the scope of a PCI DSS assessment, and the extent to which the assessor communicates with the client in determining the adequacy of compensating controls.

The FTC requests not just narrative responses from the nine data security companies, but also documents related to six representative assessments,4 including contracts, notes, test results, and...

To continue reading