The US Federal Trade Commission (FTC) is flexing its muscles regarding data security. In early March 2016 the agency issued orders to nine companies that conduct payment card industry data security standards (PCI DSS) audits.
The FTC requested information on how the companies measured compliance with the PCI DSS. Specifically, it
sought details about the process employed by the assessors, and the ways assessors and companies being assessed interact. It requested copies of a limited set of example PCI DSS assessments. And also asked questions around additional services provided by assessors, including forensic audits.
Among the nine companies receiving orders from the FTC were: Mandiant, PricewaterhouseCoopers, SecurityMetrics and Verizon Enterprise Solutions, also known as CyberTrust.
These requests come hard on the heels of a recent court settlement with the Wyndham hotel group. Widely seen as a test case to establish jurisdiction, the FTC and Wyndham Hotels and Resorts settled their long-running court battle in December 2015 over consumer data loss.
Wyndham suffered three separate data security breaches between 2008 and 2009, affecting more than 619,000 customers and leading to more than $10.6 million in fraudulent charges, according to court papers.
Citing a 1914 law, the FTC claimed that Wyndham had indulged in “unfair and deceptive practices” in failing to protect consumer payment card data. Wyndham argued that the FTC did not have the authority to bring charges against it with regard to its cybersecurity practices. The US court of appeals for the third circuit did not agree and upheld the decision of a lower court in the FTC’s favour.
The wider implications of this judgement mean that companies that fail to adequately protect card data could be subject to both contractural and regulatory sanctions. The FTC was found to have jurisdiction, namely the authority to charge Wyndham with “unfair and deceptive practices” over its data security. So, while the PCI DSS was established by the major card schemes as a contractual construct, rather than a government standard or law, failure to comply with PCI DSS may still invite possible regulatory scrutiny and penalties.
The post FTC investigates card industry data security auditing appeared first on Payments Cards & Mobile.