Retailers that accept credit cards are typically required by the payment card brands to show that they are in compliance with the Payment Card Industry Data Security Standards or “PCI DSS” at least once a year. How a retailer is permitted to show compliance depends in part on whether the retailer has a history of data security issues (e.g., have they suffered a breach) and the quantity of credit cards that the retailer transacts each year. Typically retailers that have either had a data security breach, or transact large quantities of credit cards, are required to retain a Qualified Security Assessor or “QSA” to conduct an audit and to provide an independent report showing whether the retailer is in compliance with the PCI DSS. Retailers that have not experienced a data breach and transact relatively few cards are often permitted to self-certify their compliance with the PCI DSS.
A QSA is a company that has been certified by the PCI Security Standards Council (“PCI SSC”) to validate compliance with the PCI DSS. The independence, effectiveness, and consistency of QSAs have recently been called into question. Among other things, the Federal Trade Commission (“FTC”) has initiated an investigation of the QSA-industry.1
By understanding what the FTC is looking at when evaluating QSAs, retailers can perform their own due diligence to try to avoid allegations by the FTC, or others, that a QSA’s examination is insufficient. The FTC’s investigation is focused on the following issues that may impact a QSA’s judgment in terms of a retailer’s PCI DSS compliance:
1. The percentage of the QSA’s revenue that comes from providing QSA services.
2. How often the QSA determines that retailers are not in compliance with the PCI DSS.
3. How QSAs bid, negotiate, price, and scope the audits that they perform.
4. The extent to which QSAs rely upon representations made by a retailer’s employees.
5. The extent to which QSAs utilize sampling as part of their assessments.
6. The extent to which QSAs are willing to share “draft” reports with retailers that flag areas of non-compliance, but generate final reports that show full compliance if the retailer remediates areas of concern.
7. The extent to which QSAs are willing to issue final reports that show compliance based on assurances that a retailer will remedy a deficiency in the future.
8. The rate at which the retailers that a QSA certifies as compliant experience data breaches.
9. Whether QSAs have policies and procedures to prevent potential conflicts of interest.
10. How QSAs assess whether the risk of a PCI DSS deficiency has been appropriately mitigated by a “compensating control.”
The following provides a snapshot of information to consider when evaluating a QSA:
The number of companies certified as QSAs in the United States.2
The number of QSAs that have been ordered to provide information to the FTC concerning their methods for conducting assessments.3
The number of QSAs that have been implicated in public lawsuits following data security breaches.4
 Commission Orders to File Special Reports to Collect Information Regarding Data Security Auditors (file No. P155402).
 PCI SSC website https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors (last viewed March 9, 2016).
 FTC to Study Credit Card Industry Data Security Auditing, Commission Issues Orders to Nine Companies that Conduct Payment Card Industry Screening (Mar. 7, 2016) available at https://www.ftc.gov/news-events/press-releases/2016/03/ftc-study-credit-card-industry-data-security-auditing.
 QSAs responsible for certifications in the CardSystems, Target, and Heartland breaches appear to have been involved in the resulting litigation as possible defendants.