The Federal Trade Commission (FTC) issued a press release earlier this week (March 4th) issuing orders to nine companies, requiring each to file a Special Report containing information and documents in regards to data security compliance auditing in relation to Payment Card Industry Data Security Standards- or PCI DSS audits.
Per the FTC, “PCI DSS audits are required by payment card issuing companies and businesses processing more than 1 million card transactions/year, and are intended to ensure that companies are providing adequate protection to consumers’ sensitive personal information”.
The nine companies receiving orders from the FTC are: Mandiant, PwC, Verizon Enterprise Solutions (CyberTrust), GuidePoint Security, LLC, NDB LLP, Sword and Shield Enterprise Security, Inc., Freed Maxick CPAs, P.C., Foresite MSP, LLC, and SecurityMetrics — representing an array of audit/accounting and cybersecurity firms of varying sizes.
Let’s highlight some aspects of the Special Report that each company is required to provide no later than 45 days from the date of service of the order (March 4th, 2016):
Above only summarizes the detailed request of the FTC, one that falls under Section 6b of the FTC Act, allowing the FTC to investigate industries/organizations “without any indication of wrongdoing by the targeted industry or its participants”.
With the increasing frequency, volume, and severity of breaches, “wrongdoing” might be too strong a stance to take .. but with some of the most notable recent companies breached leaking tens of millions of customer data, even after being deemed “PCI compliant” (Target, Home Depot, TJX), one can definitely question the weight behind the standard, and justify the FTC investigating these firms to gain a better understanding of the real work practices that get applied as part of the PCI compliance process.
Wes Wineberg, Senior Security Researcher and Expert Hacker at Synack also weighed in:
I think it’s going to be very interesting to see where the FTC takes this issue of PCI compliance moving forward. In the past, the FTC has issued warnings and fines to companies who have themselves ignored proper security practices, but as far as I know, not directly for not meeting PCI compliance standards. This new investigation the FTC is conducting may signal the fact that the FTC is taking an interest in holding security auditors and security companies responsible for the accuracy and effectiveness of their services, and investigating the possibility that security providers and auditors have falsely claimed to their customers and the world that systems are properly secured.
On the other hand, the FTC might realize that cybersecurity products and services are too broad and difficult an issue to police – with no clear solution – and simply continue the trend of issuing fines only to companies who demonstrate poor security practices every so often and leave it at that.
We’ll see what comes out of this, but it’s definitely a good sign that the government regulators might be waking up to the fact that completing a checklist audit actually has nothing to do with being secure against attack.
Key Takeaways
– A step in the right direction – but what will the Special Reports reveal… will this order institute change? Will the 9 companies provide a sound enough representation of the industry as a whole ?
– Compliance ≠ Security – not a groundbreaking or overly “hot take” here, just another example of how the validity of compliance measures in relation to security is increasingly being questioned.
– Non-compliance to remediation, who performs the process? – the FTC is asking companies when they identify deficiencies in a client’s network during an assessment, how often do they give the client the opportunity to remediate the deficiency before the auditor completes its final ROC, or if the auditors will give the “stamp of approval” if client the promises to remediate in the future. How often are auditors staying “on-site” until completion ? How often are false “stamp of approvals” given out?
– FTC and Cybersecurity – …
the dump store no cvv sites 2021