Auditing the Auditors: Why Is The FTC Going After QSAs?

When it comes to PCI assessments there are three main parties involved: the business, the QSAs, and the PCI Council. The audited, the auditors, and the standard setters.

And while there has been a lot of focus on companies failing to protect sensitive data, and also media attention focused on the PCI standard and its effectiveness, the FTC is now going after the third member of the data security trinity, ordering nine QSAs to provide details on their PCI DSS auditing processes.

In their press release, the FTC stated that they are “seeking details about the assessment process employed by the companies, including the ways assessors and companies they assess interact; copies of a limited set of example PCI DSS assessments, and information on additional services provided by the companies, including forensic audits.”

It’s not surprising to see the FTC taking action on this front, given the importance of privacy and data security today. It’s no exaggeration to say that our right to privacy is one of the critical pillars of society.

Who’s to Blame For a Breach?

As mentioned above, for a long time the spotlight has been on businesses and the PCI standard. Organizations are expected to look after our data — after all, they are the ones storing it. When a data breach goes down, all the blame is assigned to the company. Some companies have attempted to sue their QSAs in the past, but none have succeeded.

The PCI Council has also been questioned numerous times, with people asking what good the PCI standard is if companies are still getting hacked and losing data.

What they fail to understand is that the PCI DSS is just that — a standard. It’s something you are meant to aspire to attain, and sustain. There is a big difference between aiming to be compliant and aiming to be secure, and sadly the distinction is lost on a lot of companies.

This brings us back to the issue on QSAs, and their role in helping companies comply with the PCI DSS. It is their duty to uphold the standard, and to ensure that the companies they audit are meeting the standard effectively. They are essentially the driving instructors ensuring that poor drivers do not get the license to drive our roads and compromise our safety.

In the interest of fairness, it is also key that they do not use the audit process as a reason to sell their own PCI software tools or even withhold on signing off on a business that does not purchase their wares. Returning to the car analogy, it would be akin to a driving instructor refusing to pass a student that doesn’t buy the teacher’s brand of windscreen wipers.

This isn’t to say that they aren’t allowed to sell their PCI software solutions to their clients- just that they aren’t allowed to make it a prerequisite to passing their compliance test. Also, the PCI DSS dictates that when making recommendations for PCI tools, the client has to be presented with a choice of at least three different software to perform the required task.

Good For Consumers

Overall, this move by the FTC is an encouraging one, because it tells us that the FTC is truly interested in protecting the private information of consumers. To be clear, it does not mean that the QSAs are guilty of any form of a misdemeanor — just that if there is, the FTC wants to know.