The FTC has questions about how PCI-DSS Qualified Security Assessors (QSAs) conduct their audits and recently ordered itself to study the issue.
Merchants and service providers whose processing volume exceeds established volume thresholds are required to use a QSA to assess PCI compliance. The FTC wants to know (among other things) whether QSAs are allowing clients to remedy potential PCI issues before their final assessment is issued. Duh! Isn’t the whole point of the assessment to achieve compliance with the PCI-DSS standard?
The FTC isn’t the only government agency getting into the act. The Consumer Financial Protection Bureau (CFPB) recently sanctioned Dwolla for making false representations about its PCI compliance practices. But that’s a different matter: the CFPB took action against Dwolla because of alleged compliance misrepresentations.
The FTC action is worrisome, because it appears to be based on the notion that there is something wrong with a QSA working collaboratively with a client to achieve full compliance.
Note to FTC: Compliance is a good thing.