The FTC is conducting a study on the PCI DSS assessment process

FTC pci auditingThe Federal Trade Commission issued a press release earlier this week (March 7, 2016) describing a study they are conducting to better understand the Payment Card Industry Data Security Standard (“PCI DSS”) onsite assessment industry. As part of the study, the FTC is issuing orders to nine different companies that conduct PCI DSS assessments to provide information about the PCI DSS assessment process including: how assessors interact with their customers, a limited number of sample assessments or Reports on Compliance, and information on other compliance services provided by these nine companies.

SecurityMetrics is one of the companies that have been issued an order to provide such information. This is not an investigation on or law enforcement action of SecurityMetrics. This is a study of the state of PCI DSS assessments and SecurityMetrics is happy to provide some help to the FTC to help it better understand this industry.

The FTC is only requesting information regarding QSA onsite assessments and a very small amount of more general information about forensic investigations. If this study affects one of our customers, a member of the SecurityMetrics team will be in touch with them and work with them to ensure they are comfortable with the process. The vast majority of our customers will not be affected by this study. If any customer has a question about the FTC study or SecurityMetrics’ participation therein, please contact Brandon Bastian: bbastian@securitymetrics.com.

The FTC protects and educates customers and part of that protection entails protecting consumer data and ensuring that their data is secure. SecurityMetrics has worked in the data security industry for 15 years and also works to secure consumer data. SecurityMetrics has been providing security assessments since 2001 and has been a Qualified Security Assessor since 2006. A Qualified Security Assessor is a certification provided by the Payment Card Industry Security Standards Council and only those companies that are certified may conduct PCI DSS onsite assessments.