The FTC is on a data breach enforcement roll. Last summer, the courts allowed it to fine companies with weak cybersecurity practices. Now, the FTC is taking a closer look at payments processing, checking to see how auditors measure compliance with industry rules.
Specifically, the FTC has requested information from PricewaterhouseCoopers, Mandiant, Foresite MSP, Freed Maxick CPAs, GuidePoint Security, NDB, SecurityMetrics, Sword and Shield Enterprise Security, and Verizon Enterprise Solutions, which is also known as CyberTrust.
The nine companies, a mixture of large and small compliance vendors, have 45 days to respond to detailed questions about how they measure compliance with the Payment Card Industry Data Security Standards.
For example, the vendors are asked whether they ever issue a final assessment based on a client's promises that they will fix the problems the audit uncovered, or whether they ever confirm compliance with one of the standards based solely on interviews.
The FTC also asked for a copy of a representative assessment from a year ago, including all contracts, notes, test results, bidding materials, communications with the client and third parties, and draft reports.
Is the PCI DSS an abject failure?
Given that the number of breaches is continuing to increase, some security experts are suggesting that the industry's current self-policing process is broken.
The idea is "noble in principle," said Carl Herberger, vice president of security solutions at Radware. "But the PCI self-policing framework has in all but small circles been labeled a complete failure."
The approach has been marked by chronic failures, he said, and the standards seem to be failing everyone involved, whether in establishing trustworthiness in financial transactions, or protecting personal privacy.
The PCI-DSS standard was originally created by the financial institutions that issue credit and debit cards, said Eric Chiu, president and co-founder at HyTrust. The focus was on the relationship between the card brands and the merchants and other businesses that accept card payments.
The FTC, however, is chartered with protecting consumers, he said.
One high-profile example of a company that passed its PCI audit but still had a major breach is Target, said David Gibson, vice president of strategy and market development at Varonis Systems.
"If airplanes began falling out the sky after passing all their inspections, we would look at both the regulations themselves and the people charged with enforcing them," he added.
Some clues to the FTC's motivations could be in the questions themselves. For example, the compliance vendors are asked about how they handle potential conflicts of interest, and in particular whether they also provide forensic services to their compliance clients.
The FTC also wants to know how many clients had a data breach after they went through a compliance assessment.
"The implication in the inquiry is that some assessors may not be performing the assessments adequately or that they may be rubber stamping assessments," said Rob Sadowski, director of marketing and technology solutions at RSA Security.
Is the FTC looking to expand its role?
Perhaps the FTC is actually looking to learn more about how the cybersecurity audit process works, in order to step up its own enforcement efforts.
"The FTC is most likely going to leverage the information from this audit to help justify an increased budget and bigger staffing resources," said Ed Fox, vice president of network services at MetTel, which works with several government agencies on cybersecurity issues.