Is The FTC Investigation A Witch Hunt?

With the FTC’s announcement of their PCI fact finding effort a few weeks back, the questions being asked in the PCI assessor community these days are:

“Is this a ‘witch hunt’ by the FTC?” and

“Are they coming after QSACs?”

First, a bit of an update since my last posting on this subject.  I have been able to determine from my sources that the nine qualified security assessor companies (QSAC) that were selected by the FTC were randomly selected from a list of QSACs provided by the PCI Security Standards Council to the FTC.  Based on that information, I have to assume that the nine QSACs selected were just the unlucky winners of this FTC fact finding effort.

Another tidbit I was able to glean from some friends in the nine QSACs is that the FTC had yet to send them the official orders for complying with the study, so the 45 day clock has not necessarily started.  That information is at least a couple of weeks old, so I would assume that they have received official notice from the FTC.

Witch Hunt?

If you review the questions being asked it would seem to be the start of a witch hunt.  Those of us in the PCI industry know how the QSACs will like respond to these questions and how those responses will be interpreted.

However, in further reviewing the questions, the FTC is allowing QSACs to explain their answers, so hopefully those explanations will satisfy the FTC about some of the answers they will receive.  Some of the questions that could create problems/concerns are:

• For each year of the Applicable Time Period, state the number and percentage of clients for which You completed a Compliance Assessment and for which You declined to provide: (1) a “Compliant” designation on the Attestation of Compliance (“AOC”); or (2) an “In place” designation on the final Report on Compliance (“ROC”).
• For each year of the Applicable Time Period, state the number and percentage of clients for which You completed a Compliance Assessment and for which You provided: (1) a “Non-compliant” designation on the AOC; or (2) a “Not in place” designation on the ROC.
• the method by which the scope of Compliance Assessments is determined, including but not limited to, the extent to which a client or any third party, such as the PCI Security Standards Council (“PCI SSC”), a Payment Card Network, Acquiring Bank, or Issuing Bank, is permitted to provide input into the scoping of Compliance Assessments
• the process by which the Company determines whether to use sampling as part of a Compliance Assessment, including, but not limited to, a description of the methodology used to determine that any sample is sufficiently large to assure that controls are implemented as expected. As part of Your response, provide copies of all policies and procedure related to sampling, as well as all documents related to a representative Compliance Assessment that included sampling, including all communications between the Company and the client or any third party, such as PCI SSC, a Payment Card Network, an Acquiring Bank, or an Issuing Bank;
• the methodology and tools the Company uses to perform Compliance Assessments;
• the guidelines and policies for interviewing a client’s employees as part of a Compliance Assessment. As part of Your response, identify any PCI DSS requirement for which client employee interviews alone could establish whether a client had satisfied the requirement;
• the extent to which the Company communicates with clients in determining the adequacy of any compensating control. As part of Your response, provide all documents related to a representative Compliance Assessment that considered a compensating control, including all communications between the Company and the client or any third party such as PCI SSC, a Payment Card Network, an Issuing Bank or an Acquiring Bank;
• Provide: a copy of the Compliance Assessment with the completion date closest to January 31, 2015; and a copy of a Compliance Assessment completed in 2015 that is representative of the Compliance Assessment that the Company performs. For each Compliance Assessment provided in response to this specification, the Company shall also include a copy of any contract with the client for which the Compliance Assessment was performed, all notes, test results, bidding materials, communications with the client and any other third parties, such as the PCI SSC, a Payment Card Network, an Issuing Bank or an Acquiring Bank, draft reports, the final ROC, and the AOC.

The biggest problem I see at the moment is with this last bullet.  All QSACs have non-disclosure agreements (NDA) in place between them and their clients that only allow the PCI SSC access to reports for the purposes of quality assurance assessments (AQM).  This sort of NDA has been mandated by the Council since the release of v2 of the PCI DSS.  There are no provisions for federal government agencies to have access to a client’s ROC or AOC.

As a result, I am sure there will be a lot of legal wrangling over turning over unredacted ROCs and AOCs to the FTC.  If the FTC does allow redaction of “sensitive information”, then the legal wrangling will be over what is “sensitive” information.  ROCs and AOCs contain a lot of sensitive information that will eventually become part of the public record.  If the FTC does not take appropriate measures to control access to that information, an attacker that accesses that archive of ROCs and AOCs will have a gorgeous road map as to how to hack the merchants and service providers that the ROCs and AOCs cover.

Another area that will be highly contentious will be the QSACs providing information on the tools they use for their assessments.  This sort of information is highly proprietary and guarded by QSACs.  If it is released by the FTC it could remove some of the competitive advantages of QSACs.

It will be interesting to see the responses to scoping.  The Council has been struggling to give guidance in this area for years.  It is so bad that an offshoot of the PCI scoping special interest group (SIG) issued their own Open PCI Scoping Toolkit a number of years back to provide guidance to the PCI community.

Finally, the question regarding discussions with the Council, banks, card brands and the like will also be interesting to see documented.  I know that QSAs from my firm discuss a lot of PCI compliance issues amongst ourselves as well as with banks and the brands.  We also have questions submitted to the Council from time to time when we do not have clear guidance.  However, in talking with other QSAs from other firms, this seems to be more an exception and not the rule.

The bottom line on the witch hunt question is that I do not see the QSACs as the primary entities in the crosshairs of the FTC.  If anyone is in the crosshairs, it is the card brands and acquiring banks.  The Council is driven predominately by the card brands and their Participating Organizations (PO).  The banks are driven by regulatory requirements and recommendations from the brands.

Are QSACs In The Crosshairs?

As I just alluded to above, I do not thing that QSACs are directly in the crosshairs.  But they could be depending on the answers and explanations the FTC receives as well as what happens with this study going forward.

The unfortunate thing about the nine QSACs selected is that there are a number of notable QSACs missing from the list.  QSACs that those of us in the PCI community know would have extreme difficulty being put under the scrutiny of this FTC fact finding mission.  Yes, they would have nice responses to the questionnaire, but they would have difficulty supporting those great responses with their work papers and other evidence being requested.

Even with the nine selected I am sure there will be some embarrassing disclosures from the QSACs that have been asked to respond.  But for most of those embarrassments the QSACs can ultimately point to the Council and say they were told by the Council to do what they did.  That is not a good answer from a public disclosure perspective, but it is the truth.

Likely Results

If I had to look down the road and see where this is headed, I likely see a mess.  The FTC is coming to this party a day late and a dollar short.  That is because the days of the large merchant data breaches are likely coming to an end.  Why?

Most Level 1 and 2 merchants have implemented or are in the process of implementing either a point-to-point encryption (P2PE) or an end-to-end encryption (E2EE) solution paired with tokenization.  These solutions encrypt at the swipe/dip of a card at the terminal or point of interaction (POI) and return a token back to the merchants’ applications at the transaction’s completion.  These implementations are either complete or will be completed by the end of 2016.  As such, the days of getting data from large merchants’ databases and POS systems have for the most part come to an end.  For merchants that have implemented these solutions, the only device they will have that is in scope is the POI.

The result of these projects are that any attack would have to compromise the POI which is typically controlled by the transaction processor, not the merchant.  Not that such an attack cannot be done, just that its rate of success at the moment is very low given the complexity of compromising a processor as well as creating an acceptable rogue POI payload.

I will not go into detail, but I know a lot of you are asking why replacing the POI is not an option?  The reason that attack is not viable is that the P2PE/E2EE solutions all provide some form of tracking the POI for a variety of reasons.  As a result, merely replacing the POI with a rogue POI is not an easy task and would also require compromising the processor.

The bottom line is that any results that the FTC comes up with will likely be impacting Level 3 and 4 merchants.  Not that such merchants are necessarily small by any sense of the word.  I know of retailers that generate hundreds of millions of dollars in revenue but do less than a million card transactions in a year.

I could easily see that FTC saying that all merchants must periodically submit to an independent evaluation of their security controls where that is evaluated against the PCI DSS or some other security standard.  I would assume that truly small merchants will push back on such a requirement pretty hard, so I would also assume that the FTC will set some sort of transaction limit so that those truly small merchants do not have to incur that expense.

I could also see the FTC or some other government agency taking over the PCI compliance program.  While I think that would bring an unnecessarily level of bureaucracy to the PCI game, it would seem to be a likely outcome.  Whether or not QSACs would be forced to turn over their compliance function to such a government operation will be interesting to see play out.  One could envision something similar to the compliance operations within the FDIC, OCC and other financial institution regulatory bodies used as a model.

The net is that the FTC is again, coming to this situation late.  Most of the problem will resolve itself in a year or two making the headlines go away.  However, the FTC will use its “study” as a way to justify cleaning up a questionable or bad process.  A process that will have to radically change as merchants essentially get out of the card data business.

My advice to the FTC is to let nature take its course.  The breaches of the past have lead the industry to change itself and significantly reduce the risk.  A better effort would be for the FTC to get the processors and card brands to push for adoption of P2PE/E2EE and tokenization across the board.  That would minimize the risk to merchants and only leave processors and banks at risk.

But my advice is rational and that is not typically how government institutions operate because they need to show the public that they are doing something.  As a result, they tend to over react and do things that are no longer required all in the name of proving that they deserve to remain in business.

It will definitely be interesting to see how this all plays out.

Advertisement