The FTC announced earlier this month that it “has issued orders to nine companies requiring them to provide the agency with information on how they conduct assessments of companies to measure their compliance with the Payment Card Industry Data Security Standards (PCI DSS)”. The actual order runs seven pages long and contains more details.

Security professionals have been preaching for a very long time that, “Compliance does not equal Security”.  In large part because of the impact of what the Payment Card Industry Data Security Standard (PCI-DSS) first authored in 2004, which has become a sub-industry within Information Security.  Much like Social Security numbers, which were invented during the FDR administration solely for tracking worker income but have become a universal identification method for everything from the DOT to health records to banking, PCI has become a de facto and severely lacking “security standard”. 

It has been proven time and time again, primarily and unfortunately through very large and very visible breaches, that the 6 Controls, 12 Requirements and 200-ish sub requirements of the PCI-DSS leave large gaps in security architectures, policies, procedures and in some cases common sense.

That the FTC is taking interest in this and how exactly companies are being tested, measured and graded no doubt stems from the obvious issue of something that many people have adopted as Security Gospel or even worse, view as a way to appear secure; so called “Checkbox Security” and the associated security firms with reputations as “Scan Shops” that support that model. 

The companies being asked/ordered to submit answers for this study are by and large well-established and professional organizations.  It will be interesting to see the answers that come from this study, particularly the data regarding how many of the assessments resulted in Compliant vs. Non-Compliant findings versus the answer to the question of how many of a QSA’s clients suffered a breach in the year after the PCI Assessment. Keeping in mind there are a total of 348 QSA companies worldwide, some good and some not so good, the extrapolated results and inferences may finally give some empirical data to those who have been pushing to keep PCI in its intended, limited role and create some more vigor around the testing processes themselves.

The FTC should be applauded for examining the current testing regimen and providing visibility into a critical part of the security model for enterprises dealing with credit cards. Let us know what you think in the comments below!