FTC Seeks Insight into Role of Data Security Compliance Auditing in Consumer Privacy

Nine auditing and security firms, including FireEye's Mandiant, PwC and Verizon Enterprise Solutions, were ordered by the FTC to provide information "on how they conduct assessments of companies to measure their compliance with" payment card industry data security standards (PCI DSS), the commission said in a Monday news release. Commissioners, who voted 4-0 to issue the orders, are seeking a better understanding of data security compliance auditing and how it protects consumer privacy. The FTC said it's compiling a study of the auditors and their policies, practices and procedures such as interactions with companies, sample PCI DSS assessments and additional services provided such as forensic audits. The commission said major payment card-issuing companies require PCI DSS audits of businesses that process more than 1 million card transactions annually to ensure companies are adequately protecting personal consumer data. The other companies receiving the FTC orders are Freed Maxick CPAs, Foresite MSP, GuidePoint Security, NDB, SecurityMetrics, and Sword and Shield Enterprise Security.