PCI Under The Microscope

Posted by David Gamey on 28 Jun 2016.

The PCI Council has testified before Congress about standards and breaches in both 2014 and 2009 (links are to Google Searches). This year PCI is getting a little extra scrutiny.

In early March the Federal Trade Commission, whose mission is to protect consumers, issued an order requiring nine PCI Qualified Security Assessor Companies to produce extensive documentation including assessment reports, working papers, compensating controls, scoping and sampling methods, pricing information, information on solution, assessment, and forensic service offerings, statistics on compliant vs. non-compliant assessments, statistics on breaches after compliant assessments.   The nine assessors have all been in the business for at least four years with some being in from the inception.  They were Foresite MSP, LLC; Freed Maxick CPAs, P.C.; GuidePoint Security, LLC; Mandiant; NDB LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security, Inc.; and Verizon Enterprise Solutions (also known as CyberTrust) but notably not Trustwave!

Clearly the FTC has been taking a strong interest in cyber security lately, increasingly seeing itself with a role in guidance and oversight. In this case the FTC has left its objectives somewhat vague with the simple statement “Information collected by the FTC will be used to study the state of PCI DSS assessments.”  We expect that FTC is looking both into the general state of PCI and into practices within specific QSA companies.

The National Retail Federation and PCI have a long history.  PCI in its current form is in part the result of NRF objections to individual card brand security initiatives going back to about 2001.  In late May, the NRF piled on to the FTC action with a long standing series of complaints requesting the FTC to investigate PCI under anti-trust laws and to discount it as a best practice or even a legitimate standard as detailed in this NRF white paper. The NRF submission will certainly be considered, but as the FTC’s responsibility is clearly with consumers, it will be filtered through that lens.

Clearly the NRF wants more transparency and leverage with PCI. They are also likely afraid of PCI being adopted on a broader basis. Ultimately, this may be a bit of a double edged sword and could have many unintended consequences.

The FTC is also not the only government body taking a position on cybersecurity, other regulators like the CFPB are also taking a strong interest in cyber security regulation.

The PCI council and card brands will be following this closely and will likely continue to evolve the standard.  We know that behind the scenes they are discussing issues, such as how to make the standard more risk-based.  However, these are not quick fixes and take time. More openness and transparency may be a more realistic goal for the near future.  Everyone with an interest in both payments and cyber security will be following this closely as it unfolds.

Related to the FTC Order

https://www.ftc.gov/system/files/attachments/press-releases/ftc-study-credit-card-industry-data-security-auditing/160307datasecurity6border.pdf https://www.ftc.gov/system/files/attachments/press-releases/ftc-study-credit-card-industry-data-security-auditing/160307datasecurity6batta.pdf http://www.computerworld.com/article/3042907/retail-it/will-the-ftcs-pci-probe-do-any-good.html http://www.law360.com/articles/777947/ftc-study-could-lead-to-changes-in-pci-dss-certification

Other FTC security initiatives

https://www.ftc.gov/news-events/press-releases/2016/05/officials-united-states-canada-mexico-participate-2016-trilateral https://www.ftc.gov/news-events/press-releases/2016/05/ftc-study-mobile-device-industrys-security-update-practices https://www.ftc.gov/news-events/press-releases/2016/04/ftc-welcomes-revised-oecd-guidelines-e-commerce https://www.ftc.gov/news-events/press-releases/2016/05/federal-trade-commission-announces-agenda-june-15-start-security

NRF Action

http://fortune.com/2016/06/02/retail-credit-cards-antitrust/ http://www.reuters.com/article/us-nrf-creditcard-idUSKCN0YO2ML http://finance.yahoo.com/news/retailers-ask-ftc-investigate-credit-171400769.html http://www.chainstoreage.com/article/nrf-asks-pci-dss-inquiry http://www.computerworld.com/article/3081444/retail-it/nrfs-attack-on-pci-is-strong-on-theory-weak-on-specifics.html

Related

http://www.arnoldporter.com/en/perspectives/publications/2016/03/reasonableness-liability-without-breach (Consumer Financial Protection Bureau asserts itself as  regulator of data security) http://www.consumerfinance.gov/ (CFPB website) http://www.bna.com/dos-donts-internet-n57982073382/ (Internet of Things and FTC enforcement) http://www.cspdailynews.com/industry-news-analysis/technology/articles/emv-certification-questioned (Congress and EMVco) http://www.law360.com/articles/736584/ftc-tips-data-security-hand-in-wyndham-pact (Update on the Wyndham hotel breach) https://www.law360.com/articles/731601/ftc-appeals-unfavorable-labmd-data-breach-decision (FTC loses a round with Lab MD) http://www.computerworld.com/article/3033161/security/security-standards-sorting-through-the-alphabet-soup.html (Advice for businesses on security standards) http://www.wired.com/2016/06/even-ftcs-lead-technologist-can-get-hacked/ andhttp://www.theregister.co.uk/2016/01/14/ftc_leaks_privacy_conf_attendee_info/ (Even the FTC is not immune) https://www.schneier.com/blog/archives/2016/05/the_unfalsifiab.html (Article and paper explaining why the bar for security controls rises naturally over time)