SlideShare a Scribd company logo

Federal Trade Commission empowers Payment Card Industry

David Sweigert
David Sweigert

This document is a stipulated order for injunction between the Federal Trade Commission and Wyndham Worldwide Corporation regarding data security practices. It finds that the FTC has jurisdiction and alleges Wyndham participated in deceptive and unfair data security practices. It orders Wyndham to establish a comprehensive information security program, obtain annual assessments of compliance with security standards, and provide acknowledgement that it received the order. The order aims to resolve all disputes between the FTC and Wyndham related to data security.

Law
1 of 18
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12111115 Page 1 of 18 PageiD: 5020 THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY CLOSED Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corporation, eta/., Defendants. CIVIL ACTION NO. 2:13-CV-01887-ES-JAD STIPULATED ORDER FOR INJUNCTION Plaintiff, the Federal Trade Commission ("Commission"), filed its Complaint for Injunctive and Other Equitable Relief, subsequently amended as First Amended Complaint for Injunctive and Other Equitable Relief(''Complaint''), for a permanent injunction, and other equitable reliefin this matter, pursuant to Section 13(b) ofthe Federal Trade Commission Act ("FTC Act"), 15 U.S.C. § 53(b). The Commission and Defendants stipulate to the entry ofthis Stipulated Order for Injunction ("Order") to resolve all matters indispute in this action between them. THEREFORE, IT IS ORDERED as follows: FINDINGS 1. This Court has jurisdiction over this matter. 2. The Complaint alleges that Defendants participated indeceptive and unfair acts or practices in violation ofSection 5 ofthe FTC Act, 15 U.S.C. § 45, related to their data security. 3. The agreement contained in this Order is for settlementpurposes only. 4. This Order does not constitute an admission by Defendants that the law has been violated as alleged in the complaint, or that the facts as alleged in the complaint, other than the jurisdictional facts, are true.
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 2 of 18 PageiD: 5021 S. Defendants waive any claim that they may have under the Equal Access to Justice Act, 28 U.S.C. § 2412, concerning the prosecution ofthis action through the date ofthis Order, and agree to bear their own costs and attorney fees. The Commission also agrees to bear its own costs and attorney fees. The parties agree that this Order resolves all allegations in the Complaint. 6. Defendants and the Commission waive all rights to appeal or otherwise challenge or contest the validity ofthis Order. DEFINITIONS For the pUipose ofthis Order, the following definitions apply: 1. "Approved Standard" shall mean PCI DSS or, at the election ofHotels and Resorts, any standard ofcomparable scope and thoroughness approved by the Associate Director for Enforcement, Bureau ofConsumer Protection, Federal Trade Commission. 2. "Breach'~ shall be defined as an intrusion into a Cardholder Data Environment within a network that, as to Hotels and Resorts, is not an untrusted network, where Hotels and Resorts bas reason to suspect the unauthorized disclosure, theft, modification, or destruction of Cardholder Data. 3. "Cardholder Data" shall have the meaning PCI DSS Version 3.1, attached hereto as Appendix A, gives to the term "Cardholder Data," ie., "cardholder data" shall be defined, at a minimum, as the full PAN. The PAN is the unique payment card number(typically for credit or debit cards) that identifies the issuer and the particular cardholder account. Cardholder data may also appear in the form of the full PAN plus any ofthe following: cardholder name, expiration date, and/or service code. 2
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 3 of 18 PageiD: 5022 4. "Cardholder Data Environment'' shall have the meaning PCI DSS Version 3.1, attached hereto as Appendix A, gives to the term "cardholder data environment," i.e., the people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data. 5. ''Defendants" shall mean (1) Hotels and Resorts; (2) Wyndham Hotel Management, Inc.; (3) Wyndham Hotel Group, LLC and its successors and assigns; and (4) Wyndham Worldwide Corporation and its successors and assigns. 6. "Hotels and Resorts" shall mean Wyndham Hotels and Resorts, LLC, its subsidiaries and divisions, and its successors and assigns; provided, however, that in no event shall ''Hotels and Resorts" include any ofthe Wyndham-branded Hotels. No entity shall be considered a subsidiary or a division for purposes ofthe definition ofHotels and Resorts in the event such entity is no longer a subsidiary or division of Hotels and Resorts. 7. upcJ DSS" shall mean the Payment Card Industry Data Security Standard, Requirements and Security Assessment Procedures, Version 3.1, attached hereto as Appendix A, or, in the event such standard no longer exists, any successor standard established or approved by the Payment Card Industry Security Standards Council, any successor entity to said Council, or all ofthe majorpayment card brands. In the event no such successor standard or successor entity exists, PCI DSS shall mean a standard ofcomparable scope and thoroughness approved by the Associate Director for Enforcement, Bureau ofConsumer Protection, Federal Trade Commission. 8. "Practice" shall mean any act or omission implicating information security, including any conduct, implementation, control, configuration, procedure, process, or policy. 3
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 4 of 18 PagetO: 5023 9. ''Treat as an untrusted network" shall mean to implement the security protections that PCI DSS Version 3.1, attached hereto as Appendix A, requires to be put in place with regard to an untrusted network. 10. ''Untrusted network'' shall have the meaning that Requirement 1.2 ofPCI DSS Version 3.1, attached hereto as Appendix A, gives to the term ''untrusted network," i.e., any network that is external to the networks belonging to the entity under review, and/or which is out ofthe entity's ability to control or manage. 11. "Wyndham-branded Hotel" shall mean an independently-owned hotel that is operated in the United States pursuant to a management or franchise agreement with Hotels and Resorts or Wyndham Hotel Management, Inc. or any oftheir respective subsidiaries (a) under one ofthe following brand names or any successor brand name to one ofthe following brand names: Wyndham Hotels and Resorts, Wyndham Grand, and Wyndham Garden Hotels, or (b) under any other hotel brand name that is marketed by Hotels and Resorts to potential licensees of such brand name by means ofa Franchise Disclosure Document or any other regulatory disclosure document generally required by the Federal Trade Commission to be delivered to a potential licensee in connection with the sale ofa franchise. ORDER I. COMPREHENSIVE INFORMATION SECURITYPROGRAM IT IS ORDERED that Hotels and Resorts shall, no later than the date of entry ofthis Order, establish and implement, and thereafter maintain, for twenty (20) years after entry ofthis Order, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity ofCardholder Data that it collects orreceives in the United States from or about consumers. Such program, the content and implementation ofwhich must 4
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 5 of 18 PageiD: 5024 be fully documented in writing, shall consist ofthe following administrative, technical, and physical safeguards appropriate to Hotels and Resorts' size and complexity, the nature and scope ofHotels and Resorts' activities, and the sensitivity ofthe Cardholder Data at issue: A the designation ofan employee oremployees to coordinate and be accountable for the information security program; B. the identification ofmaterial internal and external risks to the security, confidentiality, and integrity ofCardholder Data that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise ofsuch information, and assessment of the sufficiency ofany safeguards in place to control these risks. At a minimum, this risk assessment should include consideration ofrisks in each area ofrelevant operation, including, but not limited to, (1) employee training and management, (2) information systems, including network and software design, information processing, storage, transmission, and disposal, (3) risks emanating from the Wyndham-branded Hotels, and (4) prevention, detection, and response to attacks, intrusions, or othersystems failure; C. the design and implementation of reasonable safeguards to control the risks identified through risk assessment (including any risks emanating from the Wyndham-branded Hotels), and regular testing or monitoring ofthe effectiveness of the safeguards' key controls, systems, and procedures; D. the development and use ofreasonable steps to select and retain service providers capable ofappropriately safeguarding CardholderData they receive from Hotels 5
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 6 of 18 PageiD: 5025 and Resorts and requiring such service providers by contract to implement and maintain appropriate safeguards for such information; and E. the evaluation and adjustment ofHotels and Resorts' information security program described herein in light ofthe results ofthe testing and monitoring required by Part I.C or any other circumstances (including any material changes to Hotels and Resorts' operations or business arrangements) that Hotels and Resorts knows or has reason to know may have a material impact on the effectiveness ofsuch information security program. U. CARDHOLDER DATA ASSESSMENTS IT IS FURTHER ORDERED that, Hotels and Resorts shall, so long as there is a Cardholder Data Environment within a network that, as to Hotels and Resorts, is not an untrusted network, but in any event, for no longer than a period oftwenty (20) years after entry ofthis Order: A. Annually obtain a written assessment ofthe extent ofHotels and Resorts' compliance with the Approved Standard (each such annual assessment, together with any certification relative to such assessment that may be obtained pursuant to Part ll.B, being defined as an "Assessment"). Each annual Assessment shall be completed by December 31. Foreach annual Assessment, the assessor conducting the Assessment must certifyas to the extentofHotels and Resorts' compliance with the Approved Standard. In addition, the assessor must: 1. certify individually, as to each Wyndham-branded Hotel, whether Hotels and Resorts treats as an untrusted network any Wyndham-branded Hotel's network that has a Cardholder Data Environment, and ifany such network 6
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 7 of 18 PageiD: 5026 is not treated as untrusted, certify that such network either is included in the Assessment or has during the 12 months preceding the Assessment separately been validated to be fully compliant with the Approved Standard; 2. certify as to the extent of Hotels and Resorts' compliance with each element ofa risk management protocol at least as thorough as Version 2.0 of the PCI DSS Risk Assessment Guidelines, attached hereto as Appendix B; and 3. certify that the Assessment was conducted by a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession, adheres to professional and business ethics, performs all duties objectively, and is free from any conflicts of interest that might compromise the assessor's independentjudgment in performing Assessments. Professionals qualified to prepare Assessments shall be: a person qualified as a Certified Information Systems Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; a Qualified Security Assessor under PCI DSS (QSA); or, at the election of Hotels and Resorts, a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau ofConsumer Protection, Federal Trade Commission. 7
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12111115 Page 8 of 18 PageiD: 5027 B. Ifthe assessor that conductsan Assessment descnbedinPart ll.A does not certify that Hotels and Resorts is fully compliant with the Approved Standard on which the Assessment in question is based and with the risk protocol referenced in Part ll.A.2 (a ''Noncompliant Assessment"), Hotels and Resorts shall, within sixty (60) days from the completion ofthe Noncompliant Assessment inquestion, obtain a certification from an assessor qualified under Part ll.A.3 attesting as to the extent ofHotels and Resorts' compliance with any requirements under the Approved Standardand/or the risk protocol in question that were not certified as being in place by the assessor that conducted the Assessment. C. Within one hundred and eighty (180) days following discovery ofa Breach involving more than 10,000 unique payment card numbers, Hotels and Resorts shall obtain an assessment that meets the requirements, established by the PCI Security Standards Council, ofa PCI Forensic Investigator Final Incident Report (or the equivalent ofsuch a report under then-current standards established by the PCI Security Standards Council, any successor entity to said council, or the major card brands), or, at the election ofHotels and Resorts, a standard ofcomparable scope and thoroughness approved by the Associate Directorfor Enforcement, Bureau ofConsumer Protection, Federal Trade Commission. D. IfHotels and Resorts obtains (i) an Assessment certifying that Hotels and Resorts is fully compliant with the Approved Standard and (ii) such Assessment includes or is accompanied by the certifications called for by Part ll.A.l-ll.A3, Hotels and Resorts shall be deemed in compliance with Part I ofthis Order for one year from 8
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12111115 Page 9 of 18 PageiD: 5028 the date ofthat Assessment or until the next December 31 Assessment deadline, whichever is earlier. Provided, however: 1. A Practice by Hotels and Resorts shall not be deemed in compliance with Part I ofthis Order based upon a Part ll.A Assessment ifHotels and Resorts made a representation, express or implied, regarding the Practice that either misrepresented or omitted a material fact and such misrepresentation or omission would likely affect a reasonable Assessor's decision about whether the Practice complied with the Approved Standard. Further, in the event that such a misrepresentation or omission was made for the purpose ofdeceiving the assessor, Hotels and Resorts shall not be deemed compliant with any portion ofPart I or Part ll.A ofthis Order based on that Assessment. 2. Hotels and Resorts shall not be deemed in compliance with Part I ofthis Order based upon a Part ll.A Assessment as to any Practice that is a significant change from any Practice in place at the time ofthe Assessment in question, unless, at the time ofthe significant change, an assessor qualified under Part ll.A.3 certifies that the significant change does not cause Hotels and Resorts to fall out ofcompliance with the Approved Standard on which the Assessment in question was based. This Court shall have exclusivejurisdiction over the construction ofthis Order in any matter or proceeding involving or relating to unfair data security practices for Cardholder Data. Hotels and Resorts shall provide each Assessment required by this Part II, including any Part II.B certification or Part II.C report, to the Associate Director for Enforcement, Bureau ofConsumer 9
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11115 Page 10 of 18 PageiD: 5029 Protection, Federal Trade Commission, within ten (10) days after the Assessment, certification, or report is delivered to Hotels and Resorts by the assessor or investigator in question. Unless otherwise directed by a representative ofthe Commission in writing, Hotels and Resorts shall email these materials to Debrief@ftc.gov or send them by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau ofConsumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580. The subject line must begin: FTC v. Wyndham Worldwide Corp., et. al., FTC File No. X120032. m. ORDER ACKNOWLEDGEMENTS IT IS FURTHER ORDERED that Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Hotels and Resorts obtain acknowledgements ofreceipt ofthis Order: A. Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Hotels and Resorts, within seven (7) days ofentry ofthis Order, must submit to the Commission an acknowledgement ofreceipt ofthis Order. B. Hotels and Resorts shall deliver a copy ofthis Order: (1) to all its current subsidiaries within thirty (30) days after entry ofthis Order; and (2) for ten (10) years after entry ofthis Order, to any future subsidiary within thirty (30) days after its acquisition by Hotels and Resorts. C. For ten (10) years after entry of this Order, Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Hotels and Resorts must deliver a copy ofthis Order to (1) all controlling principals, board ofdirectors members, and LLC managers and members; (2) all officers, employees, agents, and representatives having responsibilities relating to the subject matter ofthis Order; and (3) any business entity resulting from any change in structure as set forth in the Part titled 10
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11115 Page 11 of 18 PageiD: 5030 Compliance Reporting. Delivery must occur within fourteen (14) days ofentry of this Order for currentpersonnel. For all other personnel, delivery must occur before they assume their responsibilities. IV. COMPLIANCE REPORTING IT IS FURTHER ORDERED that Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Hotels and Resorts make timely submissions to the Commission: A. One year after entry ofthis Order, Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Hotels and Resorts each must submit a compliance report certified as truthful by a senior corporate officer with the requisite corporate and organizational authority that (a) identifies the primary physical, postal, and email address and telephone number, as designated points ofcontact, which representatives ofthe Commission may use to communicate with that Defendant; (b) identifies all ofthat Defendant's United States businesses by all oftheir names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describes the activities ofthat Defendant's business and the involvement of any other Defendant; (d) describes in detail (either directly or by incorporating by reference a Part ll.A. Assessment) whether and how that Defendant is in compliance with each Part ofthis Order; and (e) provides a copy ofeach Order Acknowledgement obtained pursuant to this Order, unless previously submitted to the Commission. B. For ten (I0) years after entry of this Order, each ofWyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Hotels and Resorts must submit a compliance notice within fourteen (14) days ofany change in the following: 11
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 12 of 18 PageiD: 5031 (a) any designated point ofcontact; or (b) the structure ofthat Defendant or any entity that that Defendant bas any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, assignment, sale, merger, or dissolution ofthe entity or any subsidiary, parent, or affiliate that engages in any act or practice subject to this Order. C. Unless otherwise directed by a representative of the Commission in writing, all submissions to the Commission pursuant to this Order shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau ofConsumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580. The subject line must begin; FTC v. Wyndham Worldwide Corp., et al., Fl'C File No. X120032. V. RECORDKEEPING IT IS FURTHER ORDERED that Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Hotels and Resorts shallmaintain and upon request make available to the Commission for inspection and copying, a print or electronic copy of: A. For a period ofthree (3) years after the date ofpreparation ofeach Assessment required under Part nofthis Order, all materials relied upon to prepare the Assessment, whether prepared by or on behalfofHotels and Resorts, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relied upon to prepare the Assessment. 12
case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 13 of 18 PageiD: 5032 VI. COMPLIANCE MONITORING IT IS FURTHER ORDERED that, for pUipOse ofmonitoring Wyndham Worldwide Corporation's, Wyndham Hotel Group, LLC's, and Hotels and Resorts' compliance with this Order: A. The Commission is authorized to seek discovery, without further leave of Court, using any ofthe procedures prescribed by Federal Rules ofCivil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69. Defendants may assert any and all objections, defenses, rights, or privileges in the Federal Rules of Civil Procedure, the Federal Rules ofEvidence, or any other applicable law, as to any such discovery request. B. Nothing in this Order limits the Commission's lawful use ofcompulsory process, pursuant to Sections 9 and 20 ofthe FTC Act, 15 U.S.C. §§ 49, 57b-l. Defendants may assert any and all objections, defenses, rights, or privileges available to them, as to any such process. C. This Part shall apply so long as Defendants are subject to any obligation in Part I or II of this Order, and for three years thereafter. VD. WYNDHAM WORLDWIDE CORPORATION AND WYNDHAM HOTEL GROUP, LLC IT IS FURTHER ORDERED that, so long as Wyndham Worldwide Corporation or Wyndham Hotel Group, LLC directly or indirectly holds Hotels and Resorts as a subsidiary, but in any event no longer than 20 years after entry ofthis Order, it shall ensure that Hotels and Resorts complies with this Order. In the event Wyndham Worldwide Corporation or Wyndham Hotel Group, LLC no longer directly or indirectly holds Hotels and Resorts as a subsidiary, but in any event no later than 20 years after entry ofthis Order, the obligations ofWyndham 13
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11115 Page 14 of 18 PageiD: 5033 Worldwide Corporation and Wyndham Hotel Group, LLC under this Order shall cease immediately. Vlll. RETENTION OF JURISDICTION IT IS Fl.JRTHER ORDERED that this Court shall and does retainjurisdiction ofthis matter for purposes of, and shall have exclusivejurisdiction over, any matter or proceeding involving or relating to the modification and/or enforcement ofthis Order. SO ORDERED this J1tyof 14
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11115 Page 15 of 18 PageiD: 5034 SO STIPULATED AND AGREED: FORFEDERAL TRADE COMMISSION Ke . on No. 975904) . KatherineE. McCarron Bar No. 486335) James A. Trilling(DC BarNo. 467273) Federal Trade Commission 600 Pennsylvania Avenue Washington, D.C. 20580 Attorneys for PlaintiffFederal Trade Commission 15 Date: ';2J~ J $"
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11115 Page 16 of 18 PageiD: 5035 Eugene F.lssaf( C Bar No. 449 Kirkland & Ellis LiP 655 Fifteenth Street, N.Y. Washington,.DC 20008 Tel: (202) 879-5196 Fnx: ·(202) 879-5200 Email: eugette.assaf@kirkland.c.om Oat~; ( cJ/t1/1.9 AU~meys for Oefen~ant~ Wyndham Worldwide Gorporati_on, Wyndham Hotel Groupt LLC, Wyndham Hotels and Resorts, LLC, and Wyndham Hotel Manag~m~nt, lnc. QEFENDANTS: Pate: ____ Wyndham Worldwide Cotporation Date:______ Wyndh.am Hotel Group,.LLC Date:.______ Wyndham Hotels and Rt!sorts, LLC Wyndham Hotel Management, Inc. Date;______ IS
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 17 of 18 PageiD: 5036 SUf3tl Ue-Q n.o.: tolt•t,r-[adt/l'ut {plw1tl ti] {fox I} [mtaJI] A1tm:Deyl ferDe.&maots Wyodbam Worldwide Corpoxaticm, Wyndham Hotel Group, u.c. Wyndham Hotels aDd Resort~, U.C, aad WyndhamHotel Mauagcmc:nt.lllc. DUJ:.NnANTS: 16
Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 18 of 18 PageiD: 5037 FOR DEFENDANTS: {address] [phorre #) ffax#) [email] Date: ____ Attorneys for Defendants Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, Wyndham Hotels and Resorts, LLC, and Wyndham Hotel Management, Inc. DEFENDANTS: Wyndham Worldwide Corporation Date: Ir;!Jf/t£ ~LLC Date: I 0 / I 5 / 1 s'~ .. ~-- Date: I 0 / I Cj / I !:>- Hotels and Resorts, LLC ~ 16

Recommended

Legal Issues Impacting Data Center Owners, Operators and Users
Legal Issues Impacting Data Center Owners, Operators and UsersLegal Issues Impacting Data Center Owners, Operators and Users
Legal Issues Impacting Data Center Owners, Operators and Users
MMMTechLaw
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wp
Edward Lam
 
CBI Comments on Proposed TRIA Regulatory Definitions
CBI Comments on Proposed TRIA Regulatory DefinitionsCBI Comments on Proposed TRIA Regulatory Definitions
CBI Comments on Proposed TRIA Regulatory Definitions
JasonSchupp1
 
MATH GRADE 10 LEARNER'S MODULE
MATH GRADE 10 LEARNER'S MODULEMATH GRADE 10 LEARNER'S MODULE
MATH GRADE 10 LEARNER'S MODULE
PRINTDESK by Dan
 
Vendor Contracts & Cyber Risks
Vendor Contracts & Cyber RisksVendor Contracts & Cyber Risks
Vendor Contracts & Cyber Risks
HB Litigation Conferences
 
1267 - PF Changs White Paper - Online
1267 - PF Changs White Paper - Online1267 - PF Changs White Paper - Online
1267 - PF Changs White Paper - Online
James Sheehan
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
Kelly Lam
 
Cyber-insurance and liability caps proposed as incentives by Department of Co...
Cyber-insurance and liability caps proposed as incentives by Department of Co...Cyber-insurance and liability caps proposed as incentives by Department of Co...
Cyber-insurance and liability caps proposed as incentives by Department of Co...
David Sweigert
 

Recommended

Legal Issues Impacting Data Center Owners, Operators and Users
Legal Issues Impacting Data Center Owners, Operators and UsersLegal Issues Impacting Data Center Owners, Operators and Users
Legal Issues Impacting Data Center Owners, Operators and Users
MMMTechLaw
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wp
Edward Lam
 
CBI Comments on Proposed TRIA Regulatory Definitions
CBI Comments on Proposed TRIA Regulatory DefinitionsCBI Comments on Proposed TRIA Regulatory Definitions
CBI Comments on Proposed TRIA Regulatory Definitions
JasonSchupp1
 
MATH GRADE 10 LEARNER'S MODULE
MATH GRADE 10 LEARNER'S MODULEMATH GRADE 10 LEARNER'S MODULE
MATH GRADE 10 LEARNER'S MODULE
PRINTDESK by Dan
 
Vendor Contracts & Cyber Risks
Vendor Contracts & Cyber RisksVendor Contracts & Cyber Risks
Vendor Contracts & Cyber Risks
HB Litigation Conferences
 
1267 - PF Changs White Paper - Online
1267 - PF Changs White Paper - Online1267 - PF Changs White Paper - Online
1267 - PF Changs White Paper - Online
James Sheehan
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
Kelly Lam
 
Cyber-insurance and liability caps proposed as incentives by Department of Co...
Cyber-insurance and liability caps proposed as incentives by Department of Co...Cyber-insurance and liability caps proposed as incentives by Department of Co...
Cyber-insurance and liability caps proposed as incentives by Department of Co...
David Sweigert
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
Victor Oluwajuwon Badejo
 
Cognia PCI DSS compliance services
Cognia PCI DSS compliance servicesCognia PCI DSS compliance services
Cognia PCI DSS compliance services
Cognia
 
Protecting Telephone based Payment Card Data
Protecting Telephone based Payment Card DataProtecting Telephone based Payment Card Data
Protecting Telephone based Payment Card Data
Cognia
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS Compliance
Apani Enterprise Security Software
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
Holly Vega
 
Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...
The Harvey Company Insurance Services
 
FACTA Red Flag Ruling - Frost Report
FACTA Red Flag Ruling - Frost ReportFACTA Red Flag Ruling - Frost Report
FACTA Red Flag Ruling - Frost Report
Robert Hutt
 
CNS599_NLEN_InformationSecurity
CNS599_NLEN_InformationSecurityCNS599_NLEN_InformationSecurity
CNS599_NLEN_InformationSecurity
Taishaun Owens
 
PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminar
dlinehan2
 
Prevention of doctor shopping
Prevention of doctor shoppingPrevention of doctor shopping
Prevention of doctor shopping
Doug Brockway
 
Fraud prevention in dme claims
Fraud prevention in dme claimsFraud prevention in dme claims
Fraud prevention in dme claims
Doug Brockway
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
RobertXia
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...
- Mark - Fullbright
 
Cloud Computing_CS_Oct2012
Cloud Computing_CS_Oct2012Cloud Computing_CS_Oct2012
Cloud Computing_CS_Oct2012
Paras Kumar Jain
 
PCI Certificate of Compliance 2014
PCI Certificate of Compliance 2014PCI Certificate of Compliance 2014
PCI Certificate of Compliance 2014
Richard Beaton
 
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the BreachLegal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Dawn Yankeelov
 
Strong Customer Authentication & Biometrics
Strong Customer Authentication & BiometricsStrong Customer Authentication & Biometrics
Strong Customer Authentication & Biometrics
FIDO Alliance
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
- Mark - Fullbright
 
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
David Sweigert
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting
David Sweigert
 

More Related Content

Similar to Federal Trade Commission empowers Payment Card Industry

CNS599_NLEN_InformationSecurity
CNS599_NLEN_InformationSecurityCNS599_NLEN_InformationSecurity
CNS599_NLEN_InformationSecurity
Taishaun Owens
 
PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminar
dlinehan2
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
RobertXia
 
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...
- Mark - Fullbright
 
Cloud Computing_CS_Oct2012
Cloud Computing_CS_Oct2012Cloud Computing_CS_Oct2012
Cloud Computing_CS_Oct2012
Paras Kumar Jain
 
PCI Certificate of Compliance 2014
PCI Certificate of Compliance 2014PCI Certificate of Compliance 2014
PCI Certificate of Compliance 2014
Richard Beaton
 

Similar to Federal Trade Commission empowers Payment Card Industry (20)

A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
 
Cognia PCI DSS compliance services
Cognia PCI DSS compliance servicesCognia PCI DSS compliance services
Cognia PCI DSS compliance services
 
Protecting Telephone based Payment Card Data
Protecting Telephone based Payment Card DataProtecting Telephone based Payment Card Data
Protecting Telephone based Payment Card Data
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS Compliance
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...
 
FACTA Red Flag Ruling - Frost Report
FACTA Red Flag Ruling - Frost ReportFACTA Red Flag Ruling - Frost Report
FACTA Red Flag Ruling - Frost Report
 
CNS599_NLEN_InformationSecurity
CNS599_NLEN_InformationSecurityCNS599_NLEN_InformationSecurity
CNS599_NLEN_InformationSecurity
 
PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminar
 
Prevention of doctor shopping
Prevention of doctor shoppingPrevention of doctor shopping
Prevention of doctor shopping
 
Fraud prevention in dme claims
Fraud prevention in dme claimsFraud prevention in dme claims
Fraud prevention in dme claims
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...
 
Cloud Computing_CS_Oct2012
Cloud Computing_CS_Oct2012Cloud Computing_CS_Oct2012
Cloud Computing_CS_Oct2012
 
PCI Certificate of Compliance 2014
PCI Certificate of Compliance 2014PCI Certificate of Compliance 2014
PCI Certificate of Compliance 2014
 
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the BreachLegal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
 
Strong Customer Authentication & Biometrics
Strong Customer Authentication & BiometricsStrong Customer Authentication & Biometrics
Strong Customer Authentication & Biometrics
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 

More from David Sweigert

More from David Sweigert (20)

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark Analysis
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month poster
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber Security
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking Threats
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector Chart
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public Comment
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public Comment
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFT
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public Feedback
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd edition
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness Plan
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHS
 

Recently uploaded

Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
mayurchatre90
 
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
RRR Chambers
 
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书
SS A
 
一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书
E LSS
 

Recently uploaded (20)

589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf
 
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
 
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptxMOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
 
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
 
The doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statuteThe doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statute
 
Transferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptxTransferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptx
 
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
 
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdfBPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
 
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptx
 
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptxIBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
 
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
 
Chp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptChp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .ppt
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
 
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
 
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 25 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptxMunicipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdf
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书
 
一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书
 
pnp FIRST-RESPONDER-IN-CRIME-SCENEs.pptx
pnp FIRST-RESPONDER-IN-CRIME-SCENEs.pptxpnp FIRST-RESPONDER-IN-CRIME-SCENEs.pptx
pnp FIRST-RESPONDER-IN-CRIME-SCENEs.pptx
 

Federal Trade Commission empowers Payment Card Industry

  • 1. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12111115 Page 1 of 18 PageiD: 5020 THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY CLOSED Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corporation, eta/., Defendants. CIVIL ACTION NO. 2:13-CV-01887-ES-JAD STIPULATED ORDER FOR INJUNCTION Plaintiff, the Federal Trade Commission ("Commission"), filed its Complaint for Injunctive and Other Equitable Relief, subsequently amended as First Amended Complaint for Injunctive and Other Equitable Relief(''Complaint''), for a permanent injunction, and other equitable reliefin this matter, pursuant to Section 13(b) ofthe Federal Trade Commission Act ("FTC Act"), 15 U.S.C. § 53(b). The Commission and Defendants stipulate to the entry ofthis Stipulated Order for Injunction ("Order") to resolve all matters indispute in this action between them. THEREFORE, IT IS ORDERED as follows: FINDINGS 1. This Court has jurisdiction over this matter. 2. The Complaint alleges that Defendants participated indeceptive and unfair acts or practices in violation ofSection 5 ofthe FTC Act, 15 U.S.C. § 45, related to their data security. 3. The agreement contained in this Order is for settlementpurposes only. 4. This Order does not constitute an admission by Defendants that the law has been violated as alleged in the complaint, or that the facts as alleged in the complaint, other than the jurisdictional facts, are true.
  • 2. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 2 of 18 PageiD: 5021 S. Defendants waive any claim that they may have under the Equal Access to Justice Act, 28 U.S.C. § 2412, concerning the prosecution ofthis action through the date ofthis Order, and agree to bear their own costs and attorney fees. The Commission also agrees to bear its own costs and attorney fees. The parties agree that this Order resolves all allegations in the Complaint. 6. Defendants and the Commission waive all rights to appeal or otherwise challenge or contest the validity ofthis Order. DEFINITIONS For the pUipose ofthis Order, the following definitions apply: 1. "Approved Standard" shall mean PCI DSS or, at the election ofHotels and Resorts, any standard ofcomparable scope and thoroughness approved by the Associate Director for Enforcement, Bureau ofConsumer Protection, Federal Trade Commission. 2. "Breach'~ shall be defined as an intrusion into a Cardholder Data Environment within a network that, as to Hotels and Resorts, is not an untrusted network, where Hotels and Resorts bas reason to suspect the unauthorized disclosure, theft, modification, or destruction of Cardholder Data. 3. "Cardholder Data" shall have the meaning PCI DSS Version 3.1, attached hereto as Appendix A, gives to the term "Cardholder Data," ie., "cardholder data" shall be defined, at a minimum, as the full PAN. The PAN is the unique payment card number(typically for credit or debit cards) that identifies the issuer and the particular cardholder account. Cardholder data may also appear in the form of the full PAN plus any ofthe following: cardholder name, expiration date, and/or service code. 2
  • 3. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 3 of 18 PageiD: 5022 4. "Cardholder Data Environment'' shall have the meaning PCI DSS Version 3.1, attached hereto as Appendix A, gives to the term "cardholder data environment," i.e., the people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data. 5. ''Defendants" shall mean (1) Hotels and Resorts; (2) Wyndham Hotel Management, Inc.; (3) Wyndham Hotel Group, LLC and its successors and assigns; and (4) Wyndham Worldwide Corporation and its successors and assigns. 6. "Hotels and Resorts" shall mean Wyndham Hotels and Resorts, LLC, its subsidiaries and divisions, and its successors and assigns; provided, however, that in no event shall ''Hotels and Resorts" include any ofthe Wyndham-branded Hotels. No entity shall be considered a subsidiary or a division for purposes ofthe definition ofHotels and Resorts in the event such entity is no longer a subsidiary or division of Hotels and Resorts. 7. upcJ DSS" shall mean the Payment Card Industry Data Security Standard, Requirements and Security Assessment Procedures, Version 3.1, attached hereto as Appendix A, or, in the event such standard no longer exists, any successor standard established or approved by the Payment Card Industry Security Standards Council, any successor entity to said Council, or all ofthe majorpayment card brands. In the event no such successor standard or successor entity exists, PCI DSS shall mean a standard ofcomparable scope and thoroughness approved by the Associate Director for Enforcement, Bureau ofConsumer Protection, Federal Trade Commission. 8. "Practice" shall mean any act or omission implicating information security, including any conduct, implementation, control, configuration, procedure, process, or policy. 3
  • 4. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 4 of 18 PagetO: 5023 9. ''Treat as an untrusted network" shall mean to implement the security protections that PCI DSS Version 3.1, attached hereto as Appendix A, requires to be put in place with regard to an untrusted network. 10. ''Untrusted network'' shall have the meaning that Requirement 1.2 ofPCI DSS Version 3.1, attached hereto as Appendix A, gives to the term ''untrusted network," i.e., any network that is external to the networks belonging to the entity under review, and/or which is out ofthe entity's ability to control or manage. 11. "Wyndham-branded Hotel" shall mean an independently-owned hotel that is operated in the United States pursuant to a management or franchise agreement with Hotels and Resorts or Wyndham Hotel Management, Inc. or any oftheir respective subsidiaries (a) under one ofthe following brand names or any successor brand name to one ofthe following brand names: Wyndham Hotels and Resorts, Wyndham Grand, and Wyndham Garden Hotels, or (b) under any other hotel brand name that is marketed by Hotels and Resorts to potential licensees of such brand name by means ofa Franchise Disclosure Document or any other regulatory disclosure document generally required by the Federal Trade Commission to be delivered to a potential licensee in connection with the sale ofa franchise. ORDER I. COMPREHENSIVE INFORMATION SECURITYPROGRAM IT IS ORDERED that Hotels and Resorts shall, no later than the date of entry ofthis Order, establish and implement, and thereafter maintain, for twenty (20) years after entry ofthis Order, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity ofCardholder Data that it collects orreceives in the United States from or about consumers. Such program, the content and implementation ofwhich must 4
  • 5. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 5 of 18 PageiD: 5024 be fully documented in writing, shall consist ofthe following administrative, technical, and physical safeguards appropriate to Hotels and Resorts' size and complexity, the nature and scope ofHotels and Resorts' activities, and the sensitivity ofthe Cardholder Data at issue: A the designation ofan employee oremployees to coordinate and be accountable for the information security program; B. the identification ofmaterial internal and external risks to the security, confidentiality, and integrity ofCardholder Data that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise ofsuch information, and assessment of the sufficiency ofany safeguards in place to control these risks. At a minimum, this risk assessment should include consideration ofrisks in each area ofrelevant operation, including, but not limited to, (1) employee training and management, (2) information systems, including network and software design, information processing, storage, transmission, and disposal, (3) risks emanating from the Wyndham-branded Hotels, and (4) prevention, detection, and response to attacks, intrusions, or othersystems failure; C. the design and implementation of reasonable safeguards to control the risks identified through risk assessment (including any risks emanating from the Wyndham-branded Hotels), and regular testing or monitoring ofthe effectiveness of the safeguards' key controls, systems, and procedures; D. the development and use ofreasonable steps to select and retain service providers capable ofappropriately safeguarding CardholderData they receive from Hotels 5
  • 6. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 6 of 18 PageiD: 5025 and Resorts and requiring such service providers by contract to implement and maintain appropriate safeguards for such information; and E. the evaluation and adjustment ofHotels and Resorts' information security program described herein in light ofthe results ofthe testing and monitoring required by Part I.C or any other circumstances (including any material changes to Hotels and Resorts' operations or business arrangements) that Hotels and Resorts knows or has reason to know may have a material impact on the effectiveness ofsuch information security program. U. CARDHOLDER DATA ASSESSMENTS IT IS FURTHER ORDERED that, Hotels and Resorts shall, so long as there is a Cardholder Data Environment within a network that, as to Hotels and Resorts, is not an untrusted network, but in any event, for no longer than a period oftwenty (20) years after entry ofthis Order: A. Annually obtain a written assessment ofthe extent ofHotels and Resorts' compliance with the Approved Standard (each such annual assessment, together with any certification relative to such assessment that may be obtained pursuant to Part ll.B, being defined as an "Assessment"). Each annual Assessment shall be completed by December 31. Foreach annual Assessment, the assessor conducting the Assessment must certifyas to the extentofHotels and Resorts' compliance with the Approved Standard. In addition, the assessor must: 1. certify individually, as to each Wyndham-branded Hotel, whether Hotels and Resorts treats as an untrusted network any Wyndham-branded Hotel's network that has a Cardholder Data Environment, and ifany such network 6
  • 7. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 7 of 18 PageiD: 5026 is not treated as untrusted, certify that such network either is included in the Assessment or has during the 12 months preceding the Assessment separately been validated to be fully compliant with the Approved Standard; 2. certify as to the extent of Hotels and Resorts' compliance with each element ofa risk management protocol at least as thorough as Version 2.0 of the PCI DSS Risk Assessment Guidelines, attached hereto as Appendix B; and 3. certify that the Assessment was conducted by a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession, adheres to professional and business ethics, performs all duties objectively, and is free from any conflicts of interest that might compromise the assessor's independentjudgment in performing Assessments. Professionals qualified to prepare Assessments shall be: a person qualified as a Certified Information Systems Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; a Qualified Security Assessor under PCI DSS (QSA); or, at the election of Hotels and Resorts, a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau ofConsumer Protection, Federal Trade Commission. 7
  • 8. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12111115 Page 8 of 18 PageiD: 5027 B. Ifthe assessor that conductsan Assessment descnbedinPart ll.A does not certify that Hotels and Resorts is fully compliant with the Approved Standard on which the Assessment in question is based and with the risk protocol referenced in Part ll.A.2 (a ''Noncompliant Assessment"), Hotels and Resorts shall, within sixty (60) days from the completion ofthe Noncompliant Assessment inquestion, obtain a certification from an assessor qualified under Part ll.A.3 attesting as to the extent ofHotels and Resorts' compliance with any requirements under the Approved Standardand/or the risk protocol in question that were not certified as being in place by the assessor that conducted the Assessment. C. Within one hundred and eighty (180) days following discovery ofa Breach involving more than 10,000 unique payment card numbers, Hotels and Resorts shall obtain an assessment that meets the requirements, established by the PCI Security Standards Council, ofa PCI Forensic Investigator Final Incident Report (or the equivalent ofsuch a report under then-current standards established by the PCI Security Standards Council, any successor entity to said council, or the major card brands), or, at the election ofHotels and Resorts, a standard ofcomparable scope and thoroughness approved by the Associate Directorfor Enforcement, Bureau ofConsumer Protection, Federal Trade Commission. D. IfHotels and Resorts obtains (i) an Assessment certifying that Hotels and Resorts is fully compliant with the Approved Standard and (ii) such Assessment includes or is accompanied by the certifications called for by Part ll.A.l-ll.A3, Hotels and Resorts shall be deemed in compliance with Part I ofthis Order for one year from 8
  • 9. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12111115 Page 9 of 18 PageiD: 5028 the date ofthat Assessment or until the next December 31 Assessment deadline, whichever is earlier. Provided, however: 1. A Practice by Hotels and Resorts shall not be deemed in compliance with Part I ofthis Order based upon a Part ll.A Assessment ifHotels and Resorts made a representation, express or implied, regarding the Practice that either misrepresented or omitted a material fact and such misrepresentation or omission would likely affect a reasonable Assessor's decision about whether the Practice complied with the Approved Standard. Further, in the event that such a misrepresentation or omission was made for the purpose ofdeceiving the assessor, Hotels and Resorts shall not be deemed compliant with any portion ofPart I or Part ll.A ofthis Order based on that Assessment. 2. Hotels and Resorts shall not be deemed in compliance with Part I ofthis Order based upon a Part ll.A Assessment as to any Practice that is a significant change from any Practice in place at the time ofthe Assessment in question, unless, at the time ofthe significant change, an assessor qualified under Part ll.A.3 certifies that the significant change does not cause Hotels and Resorts to fall out ofcompliance with the Approved Standard on which the Assessment in question was based. This Court shall have exclusivejurisdiction over the construction ofthis Order in any matter or proceeding involving or relating to unfair data security practices for Cardholder Data. Hotels and Resorts shall provide each Assessment required by this Part II, including any Part II.B certification or Part II.C report, to the Associate Director for Enforcement, Bureau ofConsumer 9
  • 10. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11115 Page 10 of 18 PageiD: 5029 Protection, Federal Trade Commission, within ten (10) days after the Assessment, certification, or report is delivered to Hotels and Resorts by the assessor or investigator in question. Unless otherwise directed by a representative ofthe Commission in writing, Hotels and Resorts shall email these materials to Debrief@ftc.gov or send them by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau ofConsumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580. The subject line must begin: FTC v. Wyndham Worldwide Corp., et. al., FTC File No. X120032. m. ORDER ACKNOWLEDGEMENTS IT IS FURTHER ORDERED that Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Hotels and Resorts obtain acknowledgements ofreceipt ofthis Order: A. Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Hotels and Resorts, within seven (7) days ofentry ofthis Order, must submit to the Commission an acknowledgement ofreceipt ofthis Order. B. Hotels and Resorts shall deliver a copy ofthis Order: (1) to all its current subsidiaries within thirty (30) days after entry ofthis Order; and (2) for ten (10) years after entry ofthis Order, to any future subsidiary within thirty (30) days after its acquisition by Hotels and Resorts. C. For ten (10) years after entry of this Order, Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Hotels and Resorts must deliver a copy ofthis Order to (1) all controlling principals, board ofdirectors members, and LLC managers and members; (2) all officers, employees, agents, and representatives having responsibilities relating to the subject matter ofthis Order; and (3) any business entity resulting from any change in structure as set forth in the Part titled 10
  • 11. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11115 Page 11 of 18 PageiD: 5030 Compliance Reporting. Delivery must occur within fourteen (14) days ofentry of this Order for currentpersonnel. For all other personnel, delivery must occur before they assume their responsibilities. IV. COMPLIANCE REPORTING IT IS FURTHER ORDERED that Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Hotels and Resorts make timely submissions to the Commission: A. One year after entry ofthis Order, Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Hotels and Resorts each must submit a compliance report certified as truthful by a senior corporate officer with the requisite corporate and organizational authority that (a) identifies the primary physical, postal, and email address and telephone number, as designated points ofcontact, which representatives ofthe Commission may use to communicate with that Defendant; (b) identifies all ofthat Defendant's United States businesses by all oftheir names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describes the activities ofthat Defendant's business and the involvement of any other Defendant; (d) describes in detail (either directly or by incorporating by reference a Part ll.A. Assessment) whether and how that Defendant is in compliance with each Part ofthis Order; and (e) provides a copy ofeach Order Acknowledgement obtained pursuant to this Order, unless previously submitted to the Commission. B. For ten (I0) years after entry of this Order, each ofWyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Hotels and Resorts must submit a compliance notice within fourteen (14) days ofany change in the following: 11
  • 12. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 12 of 18 PageiD: 5031 (a) any designated point ofcontact; or (b) the structure ofthat Defendant or any entity that that Defendant bas any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, assignment, sale, merger, or dissolution ofthe entity or any subsidiary, parent, or affiliate that engages in any act or practice subject to this Order. C. Unless otherwise directed by a representative of the Commission in writing, all submissions to the Commission pursuant to this Order shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau ofConsumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580. The subject line must begin; FTC v. Wyndham Worldwide Corp., et al., Fl'C File No. X120032. V. RECORDKEEPING IT IS FURTHER ORDERED that Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Hotels and Resorts shallmaintain and upon request make available to the Commission for inspection and copying, a print or electronic copy of: A. For a period ofthree (3) years after the date ofpreparation ofeach Assessment required under Part nofthis Order, all materials relied upon to prepare the Assessment, whether prepared by or on behalfofHotels and Resorts, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relied upon to prepare the Assessment. 12
  • 13. case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 13 of 18 PageiD: 5032 VI. COMPLIANCE MONITORING IT IS FURTHER ORDERED that, for pUipOse ofmonitoring Wyndham Worldwide Corporation's, Wyndham Hotel Group, LLC's, and Hotels and Resorts' compliance with this Order: A. The Commission is authorized to seek discovery, without further leave of Court, using any ofthe procedures prescribed by Federal Rules ofCivil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69. Defendants may assert any and all objections, defenses, rights, or privileges in the Federal Rules of Civil Procedure, the Federal Rules ofEvidence, or any other applicable law, as to any such discovery request. B. Nothing in this Order limits the Commission's lawful use ofcompulsory process, pursuant to Sections 9 and 20 ofthe FTC Act, 15 U.S.C. §§ 49, 57b-l. Defendants may assert any and all objections, defenses, rights, or privileges available to them, as to any such process. C. This Part shall apply so long as Defendants are subject to any obligation in Part I or II of this Order, and for three years thereafter. VD. WYNDHAM WORLDWIDE CORPORATION AND WYNDHAM HOTEL GROUP, LLC IT IS FURTHER ORDERED that, so long as Wyndham Worldwide Corporation or Wyndham Hotel Group, LLC directly or indirectly holds Hotels and Resorts as a subsidiary, but in any event no longer than 20 years after entry ofthis Order, it shall ensure that Hotels and Resorts complies with this Order. In the event Wyndham Worldwide Corporation or Wyndham Hotel Group, LLC no longer directly or indirectly holds Hotels and Resorts as a subsidiary, but in any event no later than 20 years after entry ofthis Order, the obligations ofWyndham 13
  • 14. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11115 Page 14 of 18 PageiD: 5033 Worldwide Corporation and Wyndham Hotel Group, LLC under this Order shall cease immediately. Vlll. RETENTION OF JURISDICTION IT IS Fl.JRTHER ORDERED that this Court shall and does retainjurisdiction ofthis matter for purposes of, and shall have exclusivejurisdiction over, any matter or proceeding involving or relating to the modification and/or enforcement ofthis Order. SO ORDERED this J1tyof 14
  • 15. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11115 Page 15 of 18 PageiD: 5034 SO STIPULATED AND AGREED: FORFEDERAL TRADE COMMISSION Ke . on No. 975904) . KatherineE. McCarron Bar No. 486335) James A. Trilling(DC BarNo. 467273) Federal Trade Commission 600 Pennsylvania Avenue Washington, D.C. 20580 Attorneys for PlaintiffFederal Trade Commission 15 Date: ';2J~ J $"
  • 16. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11115 Page 16 of 18 PageiD: 5035 Eugene F.lssaf( C Bar No. 449 Kirkland & Ellis LiP 655 Fifteenth Street, N.Y. Washington,.DC 20008 Tel: (202) 879-5196 Fnx: ·(202) 879-5200 Email: eugette.assaf@kirkland.c.om Oat~; ( cJ/t1/1.9 AU~meys for Oefen~ant~ Wyndham Worldwide Gorporati_on, Wyndham Hotel Groupt LLC, Wyndham Hotels and Resorts, LLC, and Wyndham Hotel Manag~m~nt, lnc. QEFENDANTS: Pate: ____ Wyndham Worldwide Cotporation Date:______ Wyndh.am Hotel Group,.LLC Date:.______ Wyndham Hotels and Rt!sorts, LLC Wyndham Hotel Management, Inc. Date;______ IS
  • 17. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 17 of 18 PageiD: 5036 SUf3tl Ue-Q n.o.: tolt•t,r-[adt/l'ut {plw1tl ti] {fox I} [mtaJI] A1tm:Deyl ferDe.&maots Wyodbam Worldwide Corpoxaticm, Wyndham Hotel Group, u.c. Wyndham Hotels aDd Resort~, U.C, aad WyndhamHotel Mauagcmc:nt.lllc. DUJ:.NnANTS: 16
  • 18. Case 2:13-cv-01887-ES-JAD Document 283 Filed 12/11/15 Page 18 of 18 PageiD: 5037 FOR DEFENDANTS: {address] [phorre #) ffax#) [email] Date: ____ Attorneys for Defendants Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, Wyndham Hotels and Resorts, LLC, and Wyndham Hotel Management, Inc. DEFENDANTS: Wyndham Worldwide Corporation Date: Ir;!Jf/t£ ~LLC Date: I 0 / I 5 / 1 s'~ .. ~-- Date: I 0 / I Cj / I !:>- Hotels and Resorts, LLC ~ 16