InfoBytes Blog
FTC Issues Inquiry into Credit Card Companies' Compliance with Payment Card Industry Data Security Standards
On March 7, the FTC announced that it issued orders to nine companies requiring them to file a Special Report regarding their assessments of other companies’ compliance with the Payment Card Industry Data Security Standards (PCI DSS). Specifically, the FTC’s Order stated that it is “seeking insight into data security compliance auditing and its role in protecting consumers’ information and privacy.” Among other things, a company in receipt of the Order must state whether or not it performs PCI DSS Compliance Assessments, whether or not it provides any Data Security Forensic Audit Services, and whether or not it has been the “subject of any government or regulatory inquiry, private action, arbitration or mediation related to the provision of Data Security Services.” If a company performs PCI DSS Compliance Assessments, the Order requires that it submit certain information on the assessment process, including but not limited to, (i) whether or not Qualified Security Assessors are hired to perform the assessment; (ii) the number and percentage of clients for which it completed a Compliance Assessment, including the number it did not provide a “compliant” or “in place” designation on the Attestation of Compliance or the Report on Compliance, respectively; (iii) the policies and procedures related to the Compliance Assessment; and (iv) copies of a limited set of PCI DSS compliance assessments performed. Companies must file the Special Report within 45 days after the date of service of the Order, dated March 4, 2016.