FTC orders nine PCI auditors to share assessment details

The FTC is on a data breach enforcement roll.

The FTC is on a data breach enforcement roll. Last summer, the courts allowed it to fine companies with weak cybersecurity practices. Now, the FTC is taking a closer look at payments processing, checking to see how auditors measure compliance with industry rules.

Specifically, the FTC has requested information from PricewaterhouseCoopers, Mandiant, Foresite MSP, Freed Maxick CPAs, GuidePoint Security, NDB, SecurityMetrics, Sword and Shield Enterprise Security, and Verizon Enterprise Solutions, which is also known as CyberTrust.

The nine companies, a mixture of large and small compliance vendors, have 45 days to respond to detailed questions about how they measure compliance with the Payment Card Industry Data Security Standards.

For example, the vendors are asked whether they ever issue a final assessment based on a client's promises that they will fix the problems the audit uncovered, or whether they ever confirm compliance with one of the standards based solely on interviews.

The FTC also asked for a copy of a representative assessment from a year ago, including all contracts, notes, test results, bidding materials, communications with the client and third parties, and draft reports.

Is the PCI DSS an abject failure?

Given that the number of breaches is continuing to increase, some security experts are suggesting that the industry's current self-policing process is broken.

The idea is "noble in principle," said Carl Herberger, vice president of security solutions at Radware. "But the PCI self-policing framework has in all but small circles been labeled a complete failure."

The approach has been marked by chronic failures, he said, and the standards seem to be failing everyone involved, whether in establishing trustworthiness in financial transactions, or protecting personal privacy.

The PCI-DSS standard was originally created by the financial institutions that issue credit and debit cards, said Eric Chiu, president and co-founder at HyTrust. The focus was on the relationship between the card brands and the merchants and other businesses that accept card payments.

The FTC, however, is chartered with protecting consumers, he said.

One high-profile example of a company that passed its PCI audit but still had a major breach is Target, said David Gibson, vice president of strategy and market development at Varonis Systems.

"If airplanes began falling out the sky after passing all their inspections, we would look at both the regulations themselves and the people charged with enforcing them," he added.

Some clues to the FTC's motivations could be in the questions themselves. For example, the compliance vendors are asked about how they handle potential conflicts of interest, and in particular whether they also provide forensic services to their compliance clients.

The FTC also wants to know how many clients had a data breach after they went through a compliance assessment.

"The implication in the inquiry is that some assessors may not be performing the assessments adequately or that they may be rubber stamping assessments," said Rob Sadowski, director of marketing and technology solutions at RSA Security.

Is the FTC looking to expand its role?

Perhaps the FTC is actually looking to learn more about how the cybersecurity audit process works, in order to step up its own enforcement efforts.

"The FTC is most likely going to leverage the information from this audit to help justify an increased budget and bigger staffing resources," said Ed Fox, vice president of network services at MetTel, which works with several government agencies on cybersecurity issues.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOFTCPricewaterhouseCoopersRadwareRSAVaronisVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts