In December 2015, the Federal Trade Commission (FTC) settled a drawn-out civil action it brought against Wyndham Worldwide Corporation (Wyndham) for multiple data breaches involving cardholder data (i.e., information on credit and debit cards). In a departure from dozens of prior FTC settlements that mandated broad security measures for all consumer data, the Wyndham consent order was limited in scope to cardholder data, and required compliance with the Payment Card Industry Data Security Standard (PCI DSS) and annual independent audits to confirm compliance.

PCI compliance has apparently become a topic of great interest to the FTC, and it has now issued an Order to nine PCI DSS auditors pursuant to Section 6(b) of the FTC Act, seeking insight into data security compliance auditing and its role in protecting consumers’ information and privacy. The companies have been given 45 days to respond with a “Special Report” containing information, documents, and items responsive to the Order. According to the FTC’s  Press Release regarding the Order, “[i]nformation collected by the FTC will be used to study the state of PCI DSS assessments.”

The Order contains a number of requests with upwards of 38 subparts, and specifically seeks both information and documentation regarding PCI auditing activities from January 2013 through the present, including:
Continue Reading Following its Settlement with Wyndham, the FTC Launches Wide Scale Inquiry Into PCI Compliance Audits

The Payment Card Industry (PCI) Security Standards Council has released a bulletin on impending revisions to version 3.0 Payment Application Data Security Standards (PA-DSS) and version 3.0 of the PCI Data Security Standard (PCI-DSS), which we reported on in January 2014.

To ensure the continued protection of consumers’ payment data, the PCI Security Standards Council

In October, the Payment Card Industry (“PCI”) Security Standards Council published the Best Practices for Implementing a Security Awareness Program Information Supplement (“Supplement”) to help organisations educate their employees on the importance of protecting, the care in handling, and the risks of mishandling sensitive information.

The PCI Special Interest Group (“PCI SIG”) developed the Supplement

In August, the Payment Card Industry (“PCI”) Security Standards Council published the Third Party Security Assurance Information Supplement (“Supplement”) to help organisations reduce their risk by better understanding their respective roles in securing card data.

The Supplement was developed by the PCI Special Interest Group (“PCI SIG”) consisting of merchants, banks and third-party service providers,

To enhance security standards to protect customer payment data in the context of increasing e-commerce, the Payment Card Industry (PCI) Security Standards Council has announced it has released version 3.0 Payment Application Data Security Standards (PA-DSS) and version 3.0 of the PCI Data Security Standard (PCI-SS), which will become effective from 1 January 2014.

This post was written by John Hines and Amy Mushahwar.

Are you recording credit card magnetic stripe data, CAV2, CVC2, CID, CVV2 or PIN data?

Many businesses record telephone calls for a number of purposes including regulatory compliance and customer service monitoring. For those companies that also take credit card payment information over the phone,