The Federal Trade Commission (FTC) has ordered nine companies to file Special Reports detailing how they assess their clients’ compliance with Payment Card Industry Data Security Standards (PCI DSS). Payment card issuing companies require businesses that process over one million card transactions per year to undergo PCI DSS compliance assessments, or audits, performed by PCI Qualified Security Assessors (QSAs), to ensure that the businesses comply with PCI DSS and are adequately protecting their customers’ sensitive personal information. The Order includes a laundry list of requests related to the targeted companies’ PCI DSS assessment process, from the bidding for and staffing of compliance assessments, to the number and percentage of clients that are ultimately determined to be PCI DSS compliant or non-compliant.
The companies targeted in the FTC investigation, which range from large-scale accounting firms to cybersecurity-focused enterprises, must respond to the Order with a Special Report no later than 45 days from the date of service. The Special Report must contain information – including internal documentation – on the auditor’s policies, procedures, and methodology for determining whether a client company is PCI DSS compliant. This includes an explanation of whether the auditor provides its non-compliant client companies with an opportunity to remedy identified deficiencies before the auditor completes the final PCI-DSS compliance assessment report. Notably, the FTC has also ordered the targeted companies to provide exemplary compliance assessments from 2015, as well as all related notes, test results, and client and third party communications.
This Order marks yet another high profile instance of the FTC invoking its Section 6 authority to investigate industries. Section 6(b) of the FTC Act bestows virtually unlimited power upon the FTC to investigate industries by ordering industry participants to respond to the agency’s inquiries and to produce supporting documentation. Unlike Section 5 of the FTC Act, Section 6 permits the FTC to conduct an investigation without any indication of wrongdoing by the targeted industry or its participants. Notably, the FTC may use the information the agency gathers in a Section 6 investigation to take enforcement action against industry participants. Thus cooperation with the FTC in a Section 6 investigation does not lead to immunity from subsequent enforcement. While a recipient of a Section 6 request may challenge the request in court, historically courts have interpreted the FTC’s Section 6 authority broadly. This investigation is only the second time that the FTC has used Section 6 authority in the data protection context. The FTC previously relied on this authority to investigate the data brokerage industry (in which several of our data protection attorneys represented one of the data brokers), and subsequently published the results of the investigation.
The FTC continues to actively exercise its authority to promote and enforce the security of consumers’ personal information. The agency’s current focus on PCI DSS compliance assessments is further evidence that the FTC’s interest in privacy and security is not just reactionary, as in the context of breach, but also preventive, in the realm of compliance.
Norton Rose Fulbright lawyers have worked with their clients and PCI QSAs in the past, and understand the challenges that organizations and QSAs face during the PCI DSS audit process. Moreover, we have previously helped companies navigate the FTC Section 6 investigative process. Without a solid knowledge of the PCI assessment process and the ability to translate and explain that process to the FTC, PCI auditors (and the PCI auditing industry as a whole) may face significant legal and regulatory risk. Companies should tread carefully as they cooperate with the FTC in this context.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.