PCI DSS Compliance: Who mandates it? How does the Federal Trade Commission (FTC) fit in?

  • Team Omega
  • December 1, 2016

Is the Payment Card Industry Data Security Standards (PCI DSS) a government mandate?  We’ve been asked this a few times by some of our customers.

PCI DSS was not created by the government, it was created by the PCI DSSPayment Card Industry Security Standards Council, made up of members from the five major card companies.

Although not created by the government, Payment Card Industry compliance is enforced, in part, by the Federal Trade Commission (FTC).  The other enforcement comes from the card companies, as explained in our prior blog titled, “PCI DSS Non-compliance Fees – Myth or Reality.

The Federal Trade Commission protects consumers by stopping unfair, deceptive or fraudulent practices in the
marketplace.[1]  Pertinent to PCI DSS, a landmark case, Federal Trade Commission vs Wyndham Worldwide Corporation, 12/09/2015[2], identified the PCI DSS as the approved standard for the case and found in favor of the Federal trade Commission, thereby establishing precedence in such cases.

The court ordered outcomes of the case include, but are not limited to:

  • Establish, implement, and maintain a comprehensive information security program designed to protect cardholder data for 20 years
  • The designation of an employee or employees to be accountable for the information security program
  • Identification of internal and external risks to the security of cardholder data
  • The design and implementation of safeguards to control the risks identified through risk assessment
  • The evaluation and adjustment of the information security program in light of the results of the testing and monitoring requirement
  • Annually obtain a written assessment of the extent of compliance with the Approved Standard (PCI DSS).

How does all this impact merchants? If you have a current PCI DSS Attestation of Compliance for your company, no worries. If you are not compliant however, don’t wait for a breach and the FTC to come knocking. If you do not have an Attestation of Compliance, you have work to do to obtain it, and Omega can help.

Omega knows what is required for compliance and assists with filling any gaps you might have. Omega produces policies and procedures, evidence from the Omega systems our customers utilize, and assists customers with understanding how to obtain evidence that Omega does not have access to (such as physical security).

To get more information, call Ashwin Swamy now — 636-557-7777 x2453, or email Ashwin at ashwin.swamy@omegaatc.com.

[1] https://www.ftc.gov/about-ftc/what-we-do
[2] https://www.ftc.gov/system/files/documents/cases/151209wyndhamstipulated.pdf