FTC Announces Study of PCI-DSS Assessment Companies

Alston & Bird
Contact
LinkedIn
Facebook
X
Send
Embed

On Monday, March 7 the Federal Trade Commission (FTC) issued a press release announcing that it had issued Orders to nine Qualified Security Assessor (QSA) companies, which are certified to assess whether or not entities involved in payment card processing, such as merchants, are compliant with the Payment Card Industry Data Security Standards (PCI DSS).  The FTC Orders request that each entity submit a Special Report within 45 days providing information on the assessment process and the companies themselves.  The reports are to include information such as the number of assessments the company conducts each year, the percentage of assessed entities found to be in compliance with PCI DSS, and the company’s annual gross revenue attributable to compliance assessments.  Entities subject to the Orders are requested to provide a copy of at least two compliance assessments conducted in 2015. The FTC stated that the information collected from the nine companies “will be used to study the state of PCI DSS assessments.”

All nine of the companies ordered to submit reports have been certified as QSAs by the PCI Security Standards Council (PCI SSC), which is led by the major payment card brands such as Visa, MasterCard and American Express.  The PCI SSC is responsible for, among other things, maintaining and updating the PCI DSS.  To process card data on a payment card brand’s network, the brands require that certain entities undergo assessments that must be conducted by a QSA.  For example, Visa requires that any merchant processing over 6 million Visa transactions must have an annual assessment conducted by a QSA, whereas American Express has a similar requirement for merchants that process 2.5 million or more American Express transactions per year.

As part of each Special Report, the FTC Orders ask that each entity provide specific information, including the following:

  • The average length of time it takes to complete an assessment;
  • The pricing structure for conducting an assessment;
  • The method by which the scope of the assessment is determined, including to what extent the PCI SSC, a payment card brand or bank is “permitted to provide input into the scoping” of the assessment;
  • Whether draft assessment reports are ever shared with the company undergoing the assessment and whether the QSA makes changes to the reports based on feedback from the assessed company;
  • Whether the QSA ever identifies deficiencies in a company’s network and provides the company with an opportunity to remediate the deficiency prior to completing its assessment report;
  • Whether the QSA company separately provides forensic investigation services related to data breaches or security incidents, and if so, whether it has policies or procedures in place related to potential conflicts of interests related to conducting PCI DSS assessments.

A template version of an Order can be found here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird
Alston & Bird
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide