Since there are no laws regulating credit card security the Federal Trade Commission (FTC) ordered Special Reports from 9 companies to disclose their “data security compliance auditing and its role in protecting consumers’ information and privacy” under the PCI (Payment Card Industry) compliance assessment for DSS (Data Security Standards) and Forensic Audits. On March 7, 2016 the FTC issued a press release entitled “FTC To Study Credit Card Industry Data Security Auditing” included these reasons for the Order:
The FTC is seeking details about the assessment process employed by the companies, including the ways assessors and companies they assess interact; copies of a limited set of example PCI DSS assessments, and information on additional services provided by the companies, including forensic audits.
Information collected by the FTC will be used to study the state of PCI DSS assessments.
Within 45 days these 9 vendors were ordered to respond:
Foresite MSP, LLC
Freed Maxick CPAs, P.C.
GuidePoint Security, LLC
SecurityMetrics Sword and Shield Enterprise Security, Inc. and
Verizon Enterprise Solutions (also known as CyberTrust)
The FTC’s action may lead to laws regulating credit card data rather than PCI dictating their rules to companies that process credit card information.
Let’s Talk Compliance | Provider Relief Fund: Reporting Requirements and Compliance Concerns