In December 2015, the Federal Trade Commission (FTC) settled a drawn-out civil action it brought against Wyndham Worldwide Corporation (Wyndham) for multiple data breaches involving cardholder data (i.e., information on credit and debit cards). In a departure from dozens of prior FTC settlements that mandated broad security measures for all consumer data, the Wyndham consent order was limited in scope to cardholder data, and required compliance with the Payment Card Industry Data Security Standard (PCI DSS) and annual independent audits to confirm compliance.
PCI compliance has apparently become a topic of great interest to the FTC, and it has now issued an Order to nine PCI DSS auditors pursuant to Section 6(b) of the FTC Act, seeking insight into data security compliance auditing and its role in protecting consumers’ information and privacy. The companies have been given 45 days to respond with a “Special Report” containing information, documents, and items responsive to the Order. According to the FTC’s Press Release regarding the Order, “[i]nformation collected by the FTC will be used to study the state of PCI DSS assessments.”
The Order contains a number of requests with upwards of 38 subparts, and specifically seeks both information and documentation regarding PCI auditing activities from January 2013 through the present, including:
- A breakdown of the company’s assessments and results (e.g., compliant or not compliant)
- The company’s qualifications, and its employees’ qualifications, to conduct assessments
- The company’s annual total gross revenue, and revenue attributable to compliance assessments
- All policies and procedures related to compliance assessments, including client development, bidding for business, pricing structure, staffing, the timeframe and scope of assessments, the sampling of controls, any methodologies or tools used during assessments, how compensating controls are evaluated, client communications, and the handling and sharing of draft reports
- How the company has handled the identification of deficiencies
- How the company addresses potential conflicts of interests, such as for clients who may retain the company for forensic investigations or other services
- An identification of all clients that have suffered a breach and whether they were subsequently deemed non-compliant with PCI DSS
The FTC’s inquiries may have significant ramifications for auditors and their clients alike, and may trigger changes in audit practices that were previously driven by contractual obligations, in order to account for an increased likelihood of regulatory oversight.
In addition, more frequent involvement by the FTC in PCI DSS practices and audits may add a further twist to the already-complex legal and contractual payment card environment, where breaches involving cardholder data have historically been addressed through a combination of contractual and legal proceedings. The major card brands (Visa and MasterCard) maintain a complex contractual eco-system between themselves and the banks that issue cards, merchants (i.e., retailers), merchant banks, and other intermediaries. Based on that contractual eco-system, the card brands can impose a “PCI Assessment” on merchants who experience a breach in order to reimburse the banks that incurred fraud and card replacement costs. Resolution of the PCI Assessment process is often coupled with the settlement of class action lawsuits filed by affected banks.
The FTC’s intentions regarding PCI compliance remain unclear, but retailers and other processors of cardholder data may want to give further consideration to their PCI compliance and auditing programs, and stay tuned to the FTC’s activities in the coming months.