The Federal Trade Commission (FTC) has issued orders to obtain information about the process by which businesses audit their compliance with the Payment Card Industry Data Security Standards (PCI DSS) and the role of such audits in protecting consumers' information and privacy.

Retailers and other businesses that process more than 1 million card transactions a year are required by the major payment card issuing companies to conduct PCI DSS audits to ensure that they are providing adequate protection to consumers' sensitive personal information. In order to examine the state of PCI DSS assessments, the FTC ordered nine companies that conduct such assessments to submit information about the assessment process. The FTC's request provides insight into the direction their investigation is likely to take with regard to the extent that businesses being assessed are involved in and possibly influencing the assessment process. Specifically, the orders ask each company to report:

  • The company's annual gross revenue and the amount of its annual gross revenue attributable to compliance assessments

  • How many compliant and non-compliant designations each company gave during the applicable time period

  • The bidding process by which the company competes for compliance assessments and the pricing structure for compliance assessments

  • The extent to which the company communicates with clients during the compliance assessment and whether the company accepts input on the draft compliance report from the client

  • Whether the company ever gives the client the opportunity to remediate any deficiencies that it finds before the compliance assessment is completed

The FTC's inquiry follows closely on the heels of the Consumer Financial Protection Bureau's (CFPB) first data security enforcement action against Dwolla, Inc. The action included allegations that Dwolla, despite making representations that it had implemented practices in compliance with the PCI DSS, failed to adopt and implement reasonable and appropriate data security policies and procedures. The FTC's and CFPB's recent interest in this area should serve as a reminder to companies to be vigilant about their compliance with industry standards such as PCI DSS.

Attorneys in Ballard Spahr's Privacy and Data Security Group regularly work with companies on implementing and documenting controls to protect the data they collect and process. Ballard Spahr's Consumer Financial Services Group is nationally recognized for its guidance in structuring and documenting new consumer financial services products, its experience with the full range of federal and state consumer credit laws throughout the country, and its skill in litigation defense and avoidance.

Copyright © 2016 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.