On Monday (March 7), the U.S. Federal Trade Commission (FTC) launched a government investigation of PCI, zeroing in on potentially excessive charges, inconsistency in enforcement and rampant conflicts of interest. As famed QSA Scooby Doo would have said, “Ruh-roh.”
Ruh-roh is just about right. Merchants have complained for a decade about PCI problems, most notably QSA inconsistencies. In short, a merchant might be 99 percent through an assessment and has almost completed requested fixes when a different QSA is assigned—and a completely different set of interpretations and instructions are then ordered. This also happens when a different QSA firm is retained, which has lead to QSA shopping, with some merchants purposely choosing to retain QSAs that are seen as less stringent.
Another problem here—which the FTC has specifically targeted—are conflicts of interest, where QSAs find that a merchant’s systems are somehow deficient and then offers to sell them the exact software that the QSA has ruled the merchant needs.
None of this is news to the FTC and it’s part of the reason for the investigation, which FTC is officially calling a study. “We have heard these issues,” said David Lincicum, an FTC attorney in the division of privacy and identity protection, who is the lead attorney on the study and is also managing the study. “We go into this looking to get information, to get some details about what the interactions look like.”
Lincicum said that there wasn’t any specific incident that prompted the probe. “It’s become clearer and clearer that PCI is playing a major role” in payments today, he said. “We want to look all of the ecosystems of the assessment, who has a role in it. The general effectiveness of the assessments. We will see what we will see.”
If the FTC cracks down, PCI procedures could easily change, making the value-adds offered by a payment facilitator that much more needed.
The FTC statement listed nine companies that are the initial direct targets of the probe: Foresite MSP, LLC; Freed Maxick CPAs, P.C.; GuidePoint Security, LLC; Mandiant; NDB LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security, Inc.; and Verizon Enterprise Solutions (also known as CyberTrust).
There was an interesting bit of government trivia in how the FTC decided to initially look at nine companies. Attorneys concluded that the Paperwork Reduction Act of 1995 would force the initial study to look at only nine companies so that the amount of paperwork generated didn’t hit the Act’s limit, Lincicum said. Beyond that limit, agencies need to get approval from the U.S. Office Of Management And Budget.
As for how the FTC selected those companies, Lincicum said “we tried to look at a variety of size and location” as well as the size of the merchants different companies were assessing.
But of much greater interest are the specifics of the initial probe, as spelled out in the federal orders sent to those companies. Among the specific demands being sent were:
- “State whether the Company has any policies or procedures relating to potential conflicts of interest, including, but not limited to, any policies that prevent the Company from providing Compliance Assessments to clients to which it has also provided another type of service, or that concern the marketing or provision of other services to clients for which You have provided a Compliance Assessment. State whether the Company has any policies or procedures relating to potential conflicts of interest, including, but not limited to, any policies that prevent the Company from providing Data Security Forensic Audit Services to clients to which it has also provided another type of service or that concern the marketing or provision of other services to clients for which You have provided Data Security Forensic Audit Services.”
This directly gets into the conflict issue and will explore how much revenue QSA companies are getting from sales of the services/products they determine are needed.
- “State whether the Company performs PCI DSS Compliance Assessments and, if so, describe the nature of the service, the length of time that the Company has been certified to perform PCI DSS Compliance Assessments, the process by which the Company became certified to perform these Assessments, and the number of Compliance Assessments that the company has performed annually for each year of the Applicable Time Period. For each year of the Applicable Time Period, state the number and percentage of clients for which You completed a Compliance Assessment and for which You declined to provide: 1. a “Compliant” designation on the Attestation of Compliance (“AOC”); or 2. an “In place” designation on the final Report on Compliance (“ROC”). For each year of the Applicable Time Period, state the number and percentage of clients for which You completed a Compliance Assessment and for which You provided: 1. a “Non-compliant” designation on the AOC; or 2. a “Not in place” designation on the ROC. vi. If there is any difference, explain the reason for the difference.”
This gets into the “easy grading” issue.
- “The Company’s pricing structure for Compliance Assessments and typical cost to clients of Compliance Assessments.”
Just what every QSA wants: a government investigator shining light on its pricing policies. Pricing “is clearly a sensitive issue,” FTC’s Lincicum said.
- “The method by which the scope of Compliance Assessments is determined, including but not limited to, the extent to which a client or any third party, such as the PCI Security Standards Council (“PCI SSC”), a Payment Card Network, Acquiring Bank, or Issuing Bank, is permitted to provide input into the scoping of Compliance Assessments; the policies and procedures for completing a Report on Compliance (“ROC”), including, but not limited to a discussion of whether a draft report is created, whether that draft is shared with the client or any third party such as PCI SSC, a Payment Card Network, an Issuing Bank or an Acquiring Bank, whether the Company accepts input on the draft from the client or any third party, and whether the Company ever makes changes to the draft report based upon the client or other third parties’ input.”
Ahhh, yes. This gets into the question of the degree to which PCI is a puppet of the cardbrands.
- “State the annual number of the Company’s Compliance Assessment clients that have suffered a Breach in the year following the Company’s completion of the Assessment for each year of the Applicable Time Period. For each such client, state whether it was subsequently determined not to be PCI compliant and provide the date of the initial Compliance Assessment and any communications between the Company and client or any third parties such as PCI SSC, a Payment Card Network, an Issuing Bank or an Acquiring Bank related to the Breach.”
Here’s another popular request. The FTC plans on exploring the relationship between being declared PCI compliant and the number of subsequent data breaches. A very old problem with PCI has been the cardbrand tendency to employ revisionist history to data breaches. No compliant merchant has ever been breached, they say, because when a compliant merchant has been breached, the assessment is re-evaluated and invariably removed. It’s classic 1984 think. PCI works so if any PCI-compliant merchant is breached, they couldn’t have really been compliant.
The problem there goes beyond it being a self-fulfilling prophecy. It stems from the flawed assumption that PCI compliance somehow equals that mythical perfect security—one that can’t ever be defeated by a bad guy.
“Just because there was a breach doesn’t mean that there was unreasonable security or a PCI violation,” Lincicum said.
The FTC nosing around there might actually do more good than harm.