FTC orders nine companies to provide details on PCI DSS audit process
The FTC said it will study the state of PCI DSS assessments.
The Federal Trade Commission (FTC) pressed nine companies into to service Monday, ordering them to provide information on the way they assess whether retailers and others are in compliance with Payment Card Industry Data Security Standards (PCI DSS).
Major payment card issuers require retailers and other businesses to undergo audits to show compliance with the standards and the FTC is “seeking details about the assessment process employed” by Foresite MSP, LLC; Freed Maxick CPAs, P.C.; GuidePoint Security, LLC; Mandiant; NDB LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security, Inc.; and Verizon Enterprise Solutions (CyberTrust), according to a release from the commission.
The FTC is particularly interested in “the ways assessors and companies they assess interact; copies of a limited set of example PCI DSS assessments, and information on additional services provided by the companies, including forensic audits” as it collects information it will use “to study the state of PCI DSS assessments.”
While Haiyan Song, SVP of security markets, Splunk, commended PCI DSS for raising awareness regarding personally identifiable information (PII) and protecting credit card data, as well as setting “a baseline for companies to have controls and certify them,” she said in comments emailed to SCMagazine.com, that “breaches that involve customer and credit card information in the FSI and retail industry” still occur.
“Hopefully, this study will teach us how we can revise the standards and assessment process to ensure PCI DSS compliance brings stronger assurance and protection in the ever-changing threat landscape,” she said.” For companies that have already instrumented their enterprise for visibility and control, change will be straightforward to evolve their compliance posture.”