ControlScan, FTC reach settlement
C ontrolScan Inc., a payment security and Payment Card Industry (PCI) Data Security Standard (DSS)-compliance solutions provider, settled with the Federal Trade Commission over allegations that it certified online merchant domains as secure without properly inspecting them.
The FTC's complaint, which stemmed from an inquiry beginning in 2007, alleged that ControlScan provided security "seals" to Web-based merchants indicating that their Web domains had cleared regular and ongoing security checks by ControlScan even though the company either had stopped conducting inspections or was doing them less frequently than it claimed.
Consumers who visited the Web sites of ControlScan clients could view the seals and click on them to find out, in detail, what they professed to represent.
According to a release on the FTC's Web page, "The company's Business Background Reviewed, Registered Member and Privacy Protected seals conveyed that ControlScan had verified a Web site's information-security practices. However, the FTC alleges that ControlScan provided these seals with 'little or no verification' of their security protections.
"Similarly, the FTC alleges that the company provided its Privacy Protected and Privacy Reviewed seals to Web sites with 'little or no verification' of their privacy protections.
"The FTC also charged that although ControlScan's seals displayed a current date stamp, the company did not review any of the seal sites on a daily basis. In some instances, Web sites were reviewed only weekly, and in other instances, ControlScan did no ongoing review of a company's fitness to continue displaying seals."
The settlement with the FTC bars ControlScan from "future misrepresentations," and demands the company see to it that merchants who've displayed the certification seals take them down. In a separate settlement, ControlScan founder and former Chief Executive Officer Richard Stanton was ordered by the FTC to give up $102,000 in "ill-gotten gains." Stanton was replaced by Joan Herbig as CEO in 2007.
"The FTC's inquiry began in mid 2007 and centered on practices that were implemented as early as 2005 and are no longer in use by the company," ControlScan said in a press release. "ControlScan fully cooperated with the FTC, and we are pleased to have reached a settlement.
"The seals that form the basis of the FTC's complaint have already been withdrawn from the market. The FTC has no issues with the current practices related to our remaining Verified Secure seal. As such, it continues to be available for use by ControlScan e-commerce merchant customers."
Tim Cranny, President and CEO of Panoptic Security Inc., said the settlement between the FTC and ControlScan is significant in an industry in which merchant security providers sometimes skirt close regulation.
"It is a very good thing that the government is trying to raise standards and to protect consumers," he said. "With security it is very easy to create misleading impressions, simply because there is such a large gap between the knowledge and experience of the consumer – in this case the merchant and even the end consumer – and the service provider.
"There is at the moment too little oversight, and I think the right answer, which we're moving toward, is a combination of government oversight and also a more detailed and hands-on industry oversight."
Cranny added that smaller companies not mandated by PCI DSS rules to undergo on-site security audits often enlist security providers like ControlScan, both to protect their domains from data breach and to increase revenue by reassuring wary consumers.
"There are actually statistics that show [security seals] do make a measurable difference to consumers," Cranny said.
The question of liability
Payments attorney Adam Atlas said a security provider's commitment to merchant security can sometimes be gauged by its willingness to take on at least some liability for a data breach.
"For security compliance companies, here's the dilemma: on one had they want to deliver a product that has mass appeal and that's affordable; on the other hand, they're up against the issue of who's responsible for a security breach when they've certified a given merchant as being compliant," Atlas said. "The answer to that question lies in the fine print of the contract between the merchant and this company.
"Sometimes, actually, ISOs become resellers of these security compliance packages, and so it may lie somewhere in the terms and conditions between the merchant and ISO. But what I am often surprised to see is that, despite the security package and its whole presentation, if something goes wrong … the security provider doesn't take responsibility. In that case, what's the point of doing security certification at all?"
View prior breaking news