FTC Demands Info From PCI Auditors On Breached Companies' Compliance

Posted by timothy on Tuesday March 8, 2016 @08:14AM from the show-me-on-the-doll dept.

Trailrunner7 writes: The Federal Trade Commission has sent an order to nine of the larger companies that do PCI DSS assessments, demanding that the organizations turn over detailed information on how they conduct those audits, how often they actually declare a company non-compliant, and many other details. The FTC on Monday said it has sent orders to nine of these companies, including Mandiant, PricewaterhouseCoopers, and Verizon Enterprise Solutions, requiring that they provide details of how they handle those assessments. Specifically, the FTC is very interested in how many companies were deemed PCI compliant in the year before they suffered a data breach. Many companies that have been victims of data breaches over the years have touted the fact that they were PCI compliant at the time of their breaches. This has not escaped the FTC's notice

1 of 101 comments (clear)

Min score:

Reason:

Sort:

Re:joek by Anonymous Coward · 2016-03-08 11:50 · Score: 0, Flamebait

Or, rather than cheating the test, opening yourself to liability, and edging towards fraud, you simply request an exception and submit evidence to your ASV. There are processes in place to address this stuff in a reasonable way, rather than scamming your compliance work and then blaming the test.