In December 2015, the Federal Trade Commission (FTC) settled a drawn-out civil action it brought against Wyndham Worldwide Corporation (Wyndham) for multiple data breaches involving cardholder data (i.e., information on credit and debit cards). In a departure from dozens of prior FTC settlements that mandated broad security measures for all consumer data, the Wyndham consent order was limited in scope to cardholder data, and required compliance with the Payment Card Industry Data Security Standard (PCI DSS) and annual independent audits to confirm compliance.

PCI compliance has apparently become a topic of great interest to the FTC, and it has now issued an Order to nine PCI DSS auditors pursuant to Section 6(b) of the FTC Act, seeking insight into data security compliance auditing and its role in protecting consumers’ information and privacy. The companies have been given 45 days to respond with a “Special Report” containing information, documents, and items responsive to the Order. According to the FTC’s  Press Release regarding the Order, “[i]nformation collected by the FTC will be used to study the state of PCI DSS assessments.”

The Order contains a number of requests with upwards of 38 subparts, and specifically seeks both information and documentation regarding PCI auditing activities from January 2013 through the present, including:
Continue Reading Following its Settlement with Wyndham, the FTC Launches Wide Scale Inquiry Into PCI Compliance Audits