Could FTC Play Bigger Role in Card Security?Commission Scrutinizing How QSAs Assess PCI Compliance
The Federal Trade Commission's review of how nine qualified security assessors scrutinize merchants' compliance with Payment Card Industry security standards could be a sign that more federal oversight of payments security is on the way.
The nine companies are: Foresite MSP LLC, Freed Maxick CPAs P.C., GuidePoint Security LLC, Mandiant, NDB LLP, PricewaterhouseCoopers LLP, SecurityMetrics, Sword and Shield Enterprise Security Inc. and Verizon Enterprise Solutions, also known as CyberTrust.
"PCI-DSS audits are required by the major payment card issuing companies of retailers and other businesses that process more than 1 million card transactions in a given year and are intended to ensure that companies are providing adequate protection to consumers' sensitive personal information," the FTC notes. "The FTC is seeking details about the assessment process employed by the companies [that serves QSAs], including the ways assessors and companies they assess interact; copies of a limited set of example PCI DSS assessments; and information on additional services provided by the companies, including forensic audits."
The FTC says it plans to use the information it collects to compile a study that reviews PCI-DSS compliance and assessments.
FTC Payments Oversight?
But industry experts say this could be the FTC's first step toward ensuring all companies are assessed for PCI compliance in the same way.
Avivah Litan, a financial fraud expert and analyst at the consultancy Gartner, is pleased the FTC is scrutinizing how QSAs assess PCI compliance. That's because the current process used to assess PCI compliance is not transparent or proportionate, she contends.
"As a bureau that oversees unfair trade practices, I am very happy they are doing this," Litan says. "The [PCI assessment] process is uneven and way too dependent on the subjective views of the auditors, some of who have little expertise."
The FTC's action, Litan says, is likely in response to the wave of card breaches that have occurred in the last 36 months. And because many of the companies that have suffered card breaches had been deemed PCI-compliant by their assessors just months before they were breached, the FTC wants to see a sampling of how PCI compliance is determined, Litan adds.
The FTC's review of current PCI compliance practices will likely shed light on shortcomings about how QSAs conduct assessments as well as potential conflicts of interest, Litan says.
"There have been financial revenue-sharing arrangements in the past between the PCI assessment firms and the merchant acquiring processors, which seems like a major conflict of interest," Litan says. "Another major conflict of interest is that the qualified assessment firms are able to sell PCI remediation services after their audits. These conflicts of interest compromise the integrity and usefulness of the audits."
The FTC did not respond to Information Security Media Group's request for comment about when the results of its study will be released or when the nine companies must comply with the commission's request.
PCI: Is Regulation, More Uniformity Needed?
Federal regulators do not monitor PCI compliance. Instead, the major card brands require companies that have a large volume of card transactions to undergo PCI audits by a QSA. But the card brands don't monitor how those audits are conducted, says payments expert and former QSA Jeff Man, who now works as a security evangelist for continuous network monitoring firm Tenable Network Security.
The FTC's interest in PCI compliance and assessment practices is likely linked to the increasing number of smaller merchant breaches, Man contends. That's because only the largest merchants - those with the highest transaction volumes - are required by the card brands to be assessed for PCI compliance by QSAs, he says. Thus, reviewing the assessment practices of nine different QSA firms will help the FTC determine how similar practices could be applied to smaller merchants, which right now are only required to self-assess PCI compliance and are rarely PCI compliant, Man says.
"Enforcement of PCI compliance has always been an issue - and not so much because of how well QSA companies perform, but because they only assess about 1 percent ... of the companies that are subject to PCI compliance in the first place," Man says. "The conventional wisdom was that the bad guys would go after the huge repositories of payment card data found in these large entities; smaller companies had less to lose, so were not scrutinized and pretty much left to self-assess. This paradigm has been crushed by the evolution of techniques that very effectively harvest the payment card data while the transaction is happening - one at a time - and then replicating this over multiple POS systems, multiple stores and multiple, mostly small, retailers."
Ken Stasiak, CEO of security firm SecureState, which serves as a QSA, says the FTC is likely interested in trying to figure out how it can level the security playing field and bring some transparency and uniformity to how PCI compliance is determined.
"I suspect that the FTC is taking a closer look into the 'private' regulation of PCI, and the validity that these assessments provide," he says. "If it [PCI compliance] was working, why have there been so many breaches affecting millions of customers?"
John Buzzard, the former head of FICO's Card Alert Service who now works as director of product management for security firm Rippleshot Fraud Analytics, says the FTC's actions to review how QSAs determine PCI compliance are justified.
"Personally, I think the more eyes on standardization within the guidelines that are already set the better," Buzzard says. "Will it be unsettling for some? Yes, of course; but the good could outweigh the bad here."
FTC Action: Wyndham's Example
Tenable Security's Man says increased FTC scrutiny of payments security should have been anticipated, given the commission's recent action against the hotel chain Wyndham Worldwide Corp.
In 2008 and 2009, Wyndham suffered three security breaches that exposed some 619,000 payment cards along with personally identifiable information about the cardholders. In December, the hotel chain settled with the FTC, agreeing to conduct and share the results of a PCI assessment audit, should it suffer another breach (see Wyndham Agrees to Settle FTC Breach Case).
"The FTC relies heavily on the PCI-DSS as a framework for measuring the effectiveness of merchant information security programs," Man says. "This was recently put in writing with the Wyndham order the FTC released last December. The federal government has been under pressure to do something in response to the major breaches over the past couple of years. Since the FTC's purview is retail breaches, it makes sense that they would be the government agency that starts doing more."
And financial consultant Ted Crooks says the FTC's query is likely just a first step on the part of the federal government to shore up cybersecurity within the financial infrastructure.
"Many of my colleagues may see this as an intrusion and it will no doubt make the lives of fraud-fighting practitioners more complex," Crooks says. "But I welcome an increased role for government in protecting the financial infrastructure. And I'm glad they are starting by asking for information."
In the end, protecting the nation's financial systems will require federal resources, he adds. "One of our deep weaknesses is that financial-system security is largely the work of individual entities with individual incentives and duties to shareholders," Crooks says. "There is little collective responsibility and insufficient cooperation. PCI is one of the best examples of needed cooperation, and I'm hopeful the FTC values and builds upon that."