Something BIG Is Cooking -- It Will Affect The Data Practices Of Most Merchants That Accept/Process Credit Card Payments
Background: PCI DSS and the Council
In order to protect credit card data and reduce credit card fraud, the major payment card companies (i.e., Visa, Mastercard, American Express, Discover, and JCB) engaged in a significant and concerted effort to set data practices standards in the early to mid-2000’s. The industry would self-regulate compliance with these standards.
The result was ultimately the creation of the Payment Card Industry Security Standards Council. The Council’s primary job is to mandate and administer the data protection rules that constitute the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a proprietary information security standard for organizations that handle branded credit cards from the major credit card issuers.
The first version of the PCI DSS was released in December 2004. Several versions were released subsequently. The version currently applicable is Version 3.1, which was released in April 2015, and will be retired 3 months after version 3.2 is released. Version 3.2 is planned for release in the first half of 2016. To learn what the latest version brings, see the blog on the Council’s website, Preparing for PCI DSS 3.2: What to Expect in 2016.
Who must comply with PCI DSS? (“Everybody”)
If you are a merchant who accepts or processes payment cards from major card issuers, you must comply with the PCI DSS.
Compliance with PCI DSS is not federally mandated. At the state level, only a handful of states have adopted PCI DSS into their legislation and require PCI DSS compliance to some extent (e.g., Minnesota, Nevada, Washington).
But if you want to use the services of major credit card issuers, you have to agree to the mandates of the PCI Council. The Council’s rules are that the PCI DSS applies to all entities that store, process, and/or transmit cardholder data. So, you have to accept the application of the PCI DSS.
PCI DSS compliance valuations are performed annually. For organizations handling large volumes of transactions (i.e., over 1 million in a year), the compliance valuation is made by an external Qualified Security Assessor (QSA). Smaller companies do this by way of a Self-Assessment Questionnaire (SAQ).
The FTC puts PCI DSS compliance assessments under the microscope
Earlier this month, by Order to File A Special Report, the FTC required nine (9) companies to provide information on how they conduct assessments of companies to measure their compliance with the PCI DSS. These companies are: Foresite MSP, LLC; Freed Maxick CPAs, P.C.; GuidePoint Security, LLC; Mandiant; NDB LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security, Inc.; and Verizon Enterprise Solutions (also known as CyberTrust).
Per an FTC press release, the order was issued pursuant to Section 6(b) of the FTC Act. The Commission vote to issue the orders was 4-0. The Order is comprehensive and seeks “details about the assessment process employed by the companies, including the ways assessors and companies they assess interact; copies of a limited set of example PCI DSS assessments, and information on additional services provided by the companies, including forensic audits.”
The information collected by the FTC pursuant to the Order will be used to write up a report/study on PCI DSS assessments. It should be released later this year.
The study is a good thing. The FTC will learn a lot. And so will we once the FTC’s written study is released.
The elephant in the room, however, is the question: Is this study just the powder and ammo the FTC is acquiring for massive future enforcement actions? These types of actions will have an effect across all industries. A better educated FTC will be a regulator with more knowledge and confidence in implementing the broad regulatory powers it has under Section 5 of the FTC Act over much of commerce.
Stay tuned.