Wyndham Data Breach Settlement Raises PCI Concerns for Merchants

Dec. 10, 2015

Wyndham Data Breach Settlement Raises PCI Concerns for Merchants The Federal Trade Commission yesterday reached a settlement with Wyndham Hotels and Resorts over security breaches in 2008 and 2009 that compromised the payment card information of more than 600,000 consumers. It is the first time courts have recognized the FTC’s authority regarding companies’ adherence to cybersecurity standards and it ties the PCI DSS more tightly to governmental oversight. While the consent decree signed by Wyndham applies only to that company, the precedent set by the agreement sheds light on what the FTC may require in future cases of data breach concerning the exposure of payment card information.

The settlement requires Wyndham to establish a “comprehensive information security program” and conduct annual assessments using a standard “at least as thorough as Version 2.0 of the PCI DSS Risk Assessment Guidelines” for at least 20 years. And, while compliance with PCI standards still is not the law, its inclusion as the standard for assessment in this case is important, according to Amy Mushahwar, counsel and chief information security officer with Washington, D.C.-based law firm ZwillGen.

“You constantly hear in our industry that PCI-DSS are only ‘contractual standards,’ Mushahwar told CardNotPresent.com. “But this is one more piece of evidence that at least one regulator doesn’t believe them to be just contractual.”

Perhaps more importantly, she said, there are several details to the settlement that add significant reporting obligations for Wyndham and could affect other companies that face future FTC scrutiny. First, in addition to the security program, annual assessments and the associated reporting (which it is already required to undertake contractually), Wyndham also agreed to report to the FTC which hotels it owns and which are franchises. Franchisees have different ownership, a different Merchant ID and are treated under card brand rules as completely separate entities requiring no “franchisor umbrella reporting.” The franchisor/franchisee reporting will be used by the FTC to determine which hotels must be treated as “trusted” owned-and-operated networks and which hotels must be treated as “untrusted” networks that require more security precautions. The precedent set by this decree could add significant reporting headaches and operational costs for franchisors that run afoul of the FTC for data security issues in the future.

Also, while not many card-not-present merchants are franchisors, there is an aspect to yesterday’s agreement that could affect all merchants. Not only did the FTC require Wyndham to comply with PCI rules, it said the assessments must be performed by a third party. Under the current PCI-DSS, if a merchant employs a person certified by the PCI-SSC as an Information Security Assessor, it can conduct annual assessments itself. While the decree is specifically between the FTC and Wyndham, other companies must now reevaluate the way they conduct those assessments, according to Mushahwar.

“A consent decree creates a line of precedent,” she said. “Even though everyone is not immediately subject to these terms, it’s kind of a fair warning shot for people who are evaluating their PCI compliance that, if you run into trouble, these are the kinds of things you might be subject to.”