The FTC’s focus on data security appears to be expanding, with the agency now investigating the processes by which private industry measures data security compliance. On March 7, 2016, the FTC ordered nine different companies who are “Qualified Independent Assessors” to provide detailed information about how they assess their clients’ compliance with the Payment Card Industry Data Security Standards (“PCI DSS”). The nine companies receiving orders range from large accounting firms such as PricewaterhouseCoopers, LLP, to security-focused companies such as Foresite MSP, LLC. They must respond to the Commission within 45 days (absent any extensions that the Commission might grant). The FTC did not state that the orders were issued in connection with any apparent breach or other specific problem, and the agency’s ultimate goal for this inquiry remains to be seen.
PCI DSS and the Orders
The Payment Card Industry Security Standards Council is a global open body formed to develop, enforce, disseminate and assist with the understanding of security standards for payment account security. The Council maintains, evolves and promotes the PCI DSS, which govern all merchants and organizations that store, process, or transmit cardholder data. For smaller merchants, PCI DSS requires annual self-assessments. PCI DSS requires external third-party audits conducted by a “Qualified Security Assessor” for those merchants that process more than 1 million card transactions in a given year, to ensure that payment card account and other sensitive personal information is being adequately protected and secured.
The “Qualified Security Assessor” (“QSA”) is a designation and certification that is granted by the Council. QSA’s are companies and independent security organizations that have been qualified by the Council. “QSA Employees” are individuals who are employed by a QSA company and have satisfied and continue to satisfy all QSA requirements. The Council, therefore, (a) sets the PCI DSS standards, (b) trains and certifies individuals and companies who desire to offer their services to merchants in order to audit against the PCI DSS standards, and (c) is responsible for maintaining the continuing certification of QSAs. According to the Council’s website (www.pcisecuritystandards.org), there are approximately 150 QSAs currently certified to perform PCI DSS security assessments in the U.S. While only nine companies have received this FTC order, it is possible that other QSAs may receive similar orders.
Often in matters related to privacy and data security, the FTC has used its “unfair and deceptive” authority under Section 5 of the FTC Act. This allows the agency to initiate investigations and enforcement actions related, for instance, to companies’ failure to live up to promises that they employ certain standards for privacy and/or data security. The FTC’s model order in this instance is unusual because it was brought under its Section 6(b) authority, which the FTC uses more rarely and which allows the agency to obtain a wide variety of information not necessarily related to a potential enforcement action. The FTC does not have the authority to directly examine for or enforce compliance with PCI DSS, a framework established and maintained by industry participants.
The focus of the order and investigation is not on merchants, but rather on the QSAs that perform third party PCI DSS security assessments of merchants. Specifically, the FTC orders seek detailed information about the QSA’s PCI DSS compliance assessment processes including: the Council’s certification process for QSAs; how QSAs approach and pitch their merchant clients for PCI DSS audit services, including bidding, written proposals, and other sales information; and how QSAs staff, price, and conduct the merchant PCI DSS security assessments, including detailed questions about methodology and results. Each QSA subject to the FTC order must report on the percentage of merchants that have been found to be non-compliant with PCI DSS, and whether merchants can remediate any uncovered deficiencies before the assessment ends. The FTC orders also request information about the cost to conduct PCI DSS compliance assessments as a percentage of annual gross revenue of the QSAs themselves. And a particularly interesting item that must be produced with regard to certain areas of investigation is “all communications between the Company [QSA] and the client or any third party such as PCI SSC [the Council], a Payment Card Network, an Issuing Bank or an Acquiring Bank.”
The FTC’s Authority to Investigate
The Commission is authorized to issue these investigative orders pursuant to Section 6(b) of the FTC Act. Unlike investigations brought under Section 5 of the Act, no wrongdoing needs to have occurred to trigger a Section 6 investigation. The FTC can use information gathered in the course of a Section 6 investigation to take enforcement action against participants over which it has enforcement authority. The FTC rarely invokes its power under Section 6(b) to investigate and, when it does so, it is often to author broader policy recommendations and comments about the industry subject to the investigation.
Notably, this appears to be only the second time the FTC has relied on its investigative authority under Section 6 in the privacy and data security context. The FTC previously used this authority to study the data brokers industry in 2014, and ultimately published those findings. In those findings, the FTC provided an overview or “characteristics of the industry,” detailing its level of confidence in the data broker industry regarding the use of consumer data, particularly sensitive data, and concluding that there is a “fundamental lack of transparency,” offering sweeping legislative recommendations. The Commission also previously utilized Section 6(b) authority in 2013 to investigate the impact of patent trolling on innovation and competition, using this information to testify before Congress on consumer protection issues including proposed legislation concerning deceptive patent demand letters.
The FTC has not specified what it intends to do with the information requested in the orders, beyond a general goal to study the state of PCI DSS assessments, including the QSA certification process. But the orders, which strongly echo the 2014 orders for the data broker industry, indicate an intent to scrutinize businesses’ procedures for the entities that are certified to conduct PCI DSS security assessment audits to certify merchant compliance with PCI DSS. It is possible that the Commission will issue a report on the status of the PCI DSS security assessment industry, and the efficacy of compliance and certification methods designed to ensure that merchants are protecting payment information of consumers. The FTC could also include recommendations for legislative, regulatory, and/or industry reforms based on the findings.
The FTC’s action echoes, in some ways, the enforcement action brought by the CFPB against Dwolla earlier this month. That action related to Dwolla’s data security practices, but did not charge Dwolla with violating any particular data security standard or requirement. Rather, the action was brought under the CFPB’s authority to police “deceptive” acts or practices. While the CFPB found that Dwolla’s data security practices were inadequate, the CFPB does not have authority—such as under the Gramm-Leach-Bliley Act—to sanction those inadequacies directly. But because Dwolla had represented to users that Dwolla had strong data security practices, the CFPB has the power to bring an action based on a conclusion that those claims were deceptive.
In the case of the FTC orders, the FTC does not have authority to enforce compliance with PCI DSS, a private-sector standard established and enforced by industry participants. Yet, the FTC has broad authority under Section 6(b) to issue orders inquiring as to “the organization, business, conduct, practices, management, and relation to other corporations, partnerships, and individuals” of the entities to whom the inquiry is addressed. The Commission’s 6(b) authority also enables it to conduct wide-ranging economic studies that do not have a specific law enforcement purpose.
The ultimate outcome of the FTC’s inquiry will be of interest to numerous participants who are involved, directly or indirectly, with PCI DSS, as the orders signal that the FTC is investigating the entire landscape of PCI DSS compliance auditing and testing. This includes, for instance, companies that are QSAs certified by the Council to conduct PCI DSS security assessments, as well as merchants who must use such QSAs to conduct their annual PCI DSS assessments.