On Monday, March 7 the Federal Trade Commission (FTC) issued a press release announcing that it had issued Orders to nine Qualified Security Assessor (QSA) companies, which are certified to assess whether or not entities involved in payment card processing, such as merchants, are compliant with the Payment Card Industry Data Security Standards (PCI DSS). The FTC Orders request that each entity submit a Special Report within 45 days providing information on the assessment process and the companies themselves. The reports are to include information such as the number of assessments the company conducts each year, the percentage of assessed entities found to be in compliance with PCI DSS, and the company’s annual gross revenue attributable to compliance assessments. Entities subject to the Orders are requested to provide a copy of at least two compliance assessments conducted in 2015. The FTC stated that the information collected from the nine companies “will be used to study the state of PCI DSS assessments.”
All nine of the companies ordered to submit reports have been certified as QSAs by the PCI Security Standards Council (PCI SSC), which is led by the major payment card brands such as Visa, MasterCard and American Express. The PCI SSC is responsible for, among other things, maintaining and updating the PCI DSS. To process card data on a payment card brand’s network, the brands require that certain entities undergo assessments that must be conducted by a QSA. For example, Visa requires that any merchant processing over 6 million Visa transactions must have an annual assessment conducted by a QSA, whereas American Express has a similar requirement for merchants that process 2.5 million or more American Express transactions per year.
As part of each Special Report, the FTC Orders ask that each entity provide specific information, including the following:
- The average length of time it takes to complete an assessment;
- The pricing structure for conducting an assessment;
- The method by which the scope of the assessment is determined, including to what extent the PCI SSC, a payment card brand or bank is “permitted to provide input into the scoping” of the assessment;
- Whether draft assessment reports are ever shared with the company undergoing the assessment and whether the QSA makes changes to the reports based on feedback from the assessed company;
- Whether the QSA ever identifies deficiencies in a company’s network and provides the company with an opportunity to remediate the deficiency prior to completing its assessment report;
- Whether the QSA company separately provides forensic investigation services related to data breaches or security incidents, and if so, whether it has policies or procedures in place related to potential conflicts of interests related to conducting PCI DSS assessments.
A template version of an Order can be found here.