The shoes are dropping on the companies that assess PCI compliance. Our first signal comes from the LifeLock case. In LifeLock, the FTC alleged that the company “failed to establish and maintain a comprehensive information security program…” as required by a 2010 order. Lifelock settled the case for over $100M, despite the fact that the company claimed it had a clean bill of health from a reputable third party PCI assessor, and according to Commissioner Olhausen, LifeLock suffered no breach.
How could it be the case that a company that receives a clean PCI-DSS assessment could also fail to establish a security program? Several possibilities come to mind: First, the FTC could have come to the conclusion that PCI-DSS is an unreliable or too fragile standard. Second, the assessor could have done a terrible job–one so bad that even LifeLock should have realized it. Third, perhaps the FTC suspected that LifeLock gamed the assessment process. Like the restaurant that gets warning of the inspector’s arrival and quickly cleans the kitchen once, perhaps LifeLock cleaned up its act but then reverted to some bad security state. Finally, perhaps the assessor is complicit in gaming the system, by preparing two reports–one for use by the company and another for the FTC.
The second shoe dropped today–the FTC is using its broad ranging §6(b) authority to investigate PCI assessment companies, including PriceWaterhouseCoopers. Section 6(b) is not used often, but it is a powerful tool. With it, the FTC can compel private parties to complete special reports that are submitted under oath.
The order, which much be complied with in 45 days, suggests that the FTC is suspicious of several aspects of the PCI assessment process. The order is 7 pages long and it is accompanied by an 8-page-long appendix of definitions and procedures. Among the issues the FTC is probing include:
- The qualifications of assessors
- How many times the assessors refused to issue an “compliant” determination
- How much the assessors charge for their services
- How assessors scope their inquiries
- How/whether assessors choose to use testing
- Whether the assessor provides a “draft report” for the client that the client can edit
- Whether the assessor surfaces problems that the client is allowed to remediate
- Whether the assessor certifies clients as compliant based on the promise that the client will remediate a problem
The FTC does not ask questions like this and put high-profile companies through the wringer for nothing. The FTC’s cases must be arousing suspicion, or–more likely–a competitor has ratted out assessing firms that are engaging in shady practices.
[I updated this post on March 8th to clarify that the 6(b) letters are focused only on the PCI-DSS process, rather than on all forms of assessment.]