FTC Examines Process by which Companies Assess Compliance with PCI DSS

John Culhane Jr., Alan Kaplinsky, Edward McAndrew, Roshni Patel
Ballard Spahr LLP
Contact
LinkedIn
Facebook
X
Send
Embed

The Federal Trade Commission (FTC) has issued orders to obtain information about the process by which businesses audit their compliance with the Payment Card Industry Data Security Standards (PCI DSS) and the role of such audits in protecting consumers' information and privacy.

Retailers and other businesses that process more than 1 million card transactions a year are required by the major payment card issuing companies to conduct PCI DSS audits to ensure that they are providing adequate protection to consumers' sensitive personal information. In order to examine the state of PCI DSS assessments, the FTC ordered nine companies that conduct such assessments to submit information about the assessment process. The FTC's request provides insight into the direction their investigation is likely to take with regard to the extent that businesses being assessed are involved in and possibly influencing the assessment process. Specifically, the orders ask each company to report:

  • The company's annual gross revenue and the amount of its annual gross revenue attributable to compliance assessments
  • How many compliant and non-compliant designations each company gave during the applicable time period
  • The bidding process by which the company competes for compliance assessments and the pricing structure for compliance assessments
  • The extent to which the company communicates with clients during the compliance assessment and whether the company accepts input on the draft compliance report from the client
  • Whether the company ever gives the client the opportunity to remediate any deficiencies that it finds before the compliance assessment is completed

The FTC's inquiry follows closely on the heels of the Consumer Financial Protection Bureau's (CFPB) first data security enforcement action against Dwolla, Inc. The action included allegations that Dwolla, despite making representations that it had implemented practices in compliance with the PCI DSS, failed to adopt and implement reasonable and appropriate data security policies and procedures. The FTC's and CFPB's recent interest in this area should serve as a reminder to companies to be vigilant about their compliance with industry standards such as PCI DSS.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide