Retailers that accept credit cards are typically required by the payment card brands to show that they are in compliance with the Payment Card Industry Data Security Standards or “PCI DSS” at least once a year. How a retailer is permitted to show compliance depends in part on whether the retailer has a history of data security issues (e.g., have they suffered a breach) and the quantity of credit cards that the retailer transacts each year. Typically retailers that have either had a data security breach, or transact large quantities of credit cards, are required to retain a Qualified Security Assessor or “QSA” to conduct an audit and to provide an independent report showing whether the retailer is in compliance with the PCI DSS. Retailers that have not experienced a data breach and transact relatively few cards are often permitted to self-certify their compliance with the PCI DSS.
A QSA is a company that has been certified by the PCI Security Standards Council (“PCI SSC”) to validate compliance with the PCI DSS. The independence, effectiveness, and consistency of QSAs have recently been called into question. Among other things, the Federal Trade Commission (“FTC”) has initiated an investigation of the QSA-industry.1
By understanding what the FTC is looking at when evaluating QSAs, retailers can perform their own due diligence to try to avoid allegations by the FTC, or others, that a QSA’s examination is insufficient. The FTC’s investigation is focused on the following issues that may impact a QSA’s judgment in terms of a retailer’s PCI DSS compliance:
- The percentage of the QSA’s revenue that comes from providing QSA services.
- How often the QSA determines that retailers are not in compliance with the PCI DSS.
- How QSAs bid, negotiate, price, and scope the audits that they perform.
- The extent to which QSAs rely upon representations made by a retailer’s employees.
- The extent to which QSAs utilize sampling as part of their assessments.
- The extent to which QSAs are willing to share “draft” reports with retailers that flag areas of non-compliance, but generate final reports that show full compliance if the retailer remediates areas of concern.
- The extent to which QSAs are willing to issue final reports that show compliance based on assurances that a retailer will remedy a deficiency in the future.
- The rate at which the retailers that a QSA certifies as compliant experience data breaches.
- Whether QSAs have policies and procedures to prevent potential conflicts of interest.
- How QSAs assess whether the risk of a PCI DSS deficiency has been appropriately mitigated by a “compensating control.”
The following provides a snapshot of information to consider when evaluating a QSA:
Click here to view table.