The Federal Trade Commission (FTC) issued a press release earlier this week (March 4th) issuing orders to nine companies, requiring each to file a Special Report containing information and documents in regards to data security compliance auditing in relation to Payment Card Industry Data Security Standards- or PCI DSS audits.
Per the FTC, “PCI DSS audits are required by payment card issuing companies and businesses processing more than 1 million card transactions/year, and are intended to ensure that companies are providing adequate protection to consumers’ sensitive personal information”.
The nine companies receiving orders from the FTC are: Mandiant, PwC, Verizon Enterprise Solutions (CyberTrust), GuidePoint Security, LLC, NDB LLP, Sword and Shield Enterprise Security, Inc., Freed Maxick CPAs, P.C., Foresite MSP, LLC, and SecurityMetrics — representing an array of audit/accounting and cybersecurity firms of varying sizes.
Let’s highlight some aspects of the Special Report that each company is required to provide no later than 45 days from the date of service of the order (March 4th, 2016):
- If the Company is certified to perform PCI DSS Compliance Assessments (if so, for how long, and how they became certified)
- Volume of Compliance Assessments that the company has performed annually for each year of the Company’s applicable PCI-certified Time Period
- Annual, and Compliance-related, revenue totals for each year of the Applicable Time Period
- Number of Qualified Security Assessors (QSAs) employed and the QSA qualifications, certifications, and/or training required by the Company
- Number and Percentage of clients for which the Company completed a Compliance Assessment and provided compliant vs. non-compliant designations
- Copies of ALL policies and procedures related to Compliance Assessment including:
- Bidding process/competition for Compliance Assessment contracts
- Engagement specifics such as staffing, duration, and pricing
- Processes and methodologies used in determining client compliance reviews
- At least one copy of a representative client contract for a Compliance Assessment and for Data Security Forensic Audit Services
- State the annual number of the Company’s Compliance Assessment clients that have suffered a Breach in the year following the Company’s completion of the Assessment, for each year of the Applicable Time Period
- A copy of the Compliance Assessment with the completion date CLOSEST to January 31, 2015, as well as a copy of a Compliance Assessment completed in 2015 that is representative of one the Company performs (including all contracts, notes, test results, communications, etc.)
Above only summarizes the detailed request of the FTC, one that falls under Section 6b of the FTC Act, allowing the FTC to investigate industries/organizations “without any indication of wrongdoing by the targeted industry or its participants”.
With the increasing frequency, volume, and severity of breaches, “wrongdoing” might be too strong a stance to take .. but with some of the most notable recent companies breached leaking tens of millions of customer data, even after being deemed “PCI compliant” (Target, Home Depot, TJX), one can definitely question the weight behind the standard, and justify the FTC investigating these firms to gain a better understanding of the real work practices that get applied as part of the PCI compliance process.
Wes Wineberg, Senior Security Researcher and Expert Hacker at Synack also weighed in:
I think it’s going to be very interesting to see where the FTC takes this issue of PCI compliance moving forward. In the past, the FTC has issued warnings and fines to companies who have themselves ignored proper security practices, but as far as I know, not directly for not meeting PCI compliance standards. This new investigation the FTC is conducting may signal the fact that the FTC is taking an interest in holding security auditors and security companies responsible for the accuracy and effectiveness of their services, and investigating the possibility that security providers and auditors have falsely claimed to their customers and the world that systems are properly secured.
On the other hand, the FTC might realize that cybersecurity products and services are too broad and difficult an issue to police – with no clear solution – and simply continue the trend of issuing fines only to companies who demonstrate poor security practices every so often and leave it at that.
We’ll see what comes out of this, but it’s definitely a good sign that the government regulators might be waking up to the fact that completing a checklist audit actually has nothing to do with being secure against attack.
– A step in the right direction – but what will the Special Reports reveal… will this order institute change? Will the 9 companies provide a sound enough representation of the industry as a whole ?
– Compliance ≠ Security – not a groundbreaking or overly “hot take” here, just another example of how the validity of compliance measures in relation to security is increasingly being questioned.
– Non-compliance to remediation, who performs the process? – the FTC is asking companies when they identify deficiencies in a client’s network during an assessment, how often do they give the client the opportunity to remediate the deficiency before the auditor completes its final ROC, or if the auditors will give the “stamp of approval” if client the promises to remediate in the future. How often are auditors staying “on-site” until completion ? How often are false “stamp of approvals” given out?
– FTC and Cybersecurity – …