FTC Orders Data Security Auditors to Provide PCI DSS Assessment Data
On March 7, 2016, the Federal Trade Commission (“FTC”) ordered nine data security auditing companies to provide detailed information within 45 days about how they conduct assessments of companies when measuring their compliance with the Payment Card Industry Data Security Standards (“PCI DSS”). The FTC announced it is specifically seeking information about “the assessment process employed by the [assessors], including the ways assessors and companies they assess interact; copies of a limited set of example PCI DSS assessments, and information on additional services provided by the companies, including forensic audits.” Information on conflicts of interest and identification and remediation of deficiencies is also requested. The compiled data will be used in a FTC study of the current state of PCI DSS assessments.