Tweet
I found this interesting as well as it should be interesting to watch. It could get very ugly out there. Seems like it's more about assigning blame and who gets to pay the bill.
Source: Sans
--Bank Sues Company That Certified CardSystems Solutions Before Breach
(May 26 & 27, 2009)
Merrick Bank has filed a lawsuit against Savvis, alleging negligence
because the company certified CardSystems Solutions as compliant with
Visa and MasterCard security requirements less than a year before the
payment processor suffered a massive data security breach. Merrick
claims that fraudulent transactions resulting from the breach cost it
US $16 million in payments to the credit card companies for using a
non-compliant processor, payments to banks affected by the breach and
legal fees. Attackers were able to steal information on 40 million
credit card accounts because CardSystems stored unencrypted card data
on its servers.
http://www.finextra.com/fullstory.asp?id=20067
http://www.digitaltransactions.net/n...fm?newsid=2221
[Editor's Note (Pescatore): Making this charge stick will require
proving that the non-compliant condition existed at the time of the
audit and should have been discovered with reasonable diligence. But it
will be good to see some external attention focused on the PCI audit
process.
(Schultz): The issue concerning whether an organization is (but probably
more importantly, *was* at the time of a data security breach) PCI-DSS
compliant is becoming increasingly complex. If a bank, merchant, or
other organization has passed a PCI-DSS audit, but then a security
breach involving credit card information occurs sometime later, the PCI
Consortium has increasingly suddenly declared the organization to be
non-compliant. As good as they are, PCI-DSS standards do not require
anything near perfect data security, and no audit is 100 percent
comprehensive. Residual risk will always be present as long as systems
are connected to any network. If PCI-DSS auditors are going to become
legally liable for future data security breaches, the cost to perform
these audits will, unfortunately, most likely skyrocket out of control.
(Hoelzer): While the legal system is an important tool when it comes to
forcing organizations to be responsible, this may mark a dangerous time
for PCI. PCI/DSS isn't perfect but it's a pretty good start. If
lawsuits continue to pile on, however, we could see energy start to
build for the elimination of standards of this kind since they may
appear to be leading toward greater liability rather than reduced
liability.]
Source: Sans
--Bank Sues Company That Certified CardSystems Solutions Before Breach
(May 26 & 27, 2009)
Merrick Bank has filed a lawsuit against Savvis, alleging negligence
because the company certified CardSystems Solutions as compliant with
Visa and MasterCard security requirements less than a year before the
payment processor suffered a massive data security breach. Merrick
claims that fraudulent transactions resulting from the breach cost it
US $16 million in payments to the credit card companies for using a
non-compliant processor, payments to banks affected by the breach and
legal fees. Attackers were able to steal information on 40 million
credit card accounts because CardSystems stored unencrypted card data
on its servers.
http://www.finextra.com/fullstory.asp?id=20067
http://www.digitaltransactions.net/n...fm?newsid=2221
[Editor's Note (Pescatore): Making this charge stick will require
proving that the non-compliant condition existed at the time of the
audit and should have been discovered with reasonable diligence. But it
will be good to see some external attention focused on the PCI audit
process.
(Schultz): The issue concerning whether an organization is (but probably
more importantly, *was* at the time of a data security breach) PCI-DSS
compliant is becoming increasingly complex. If a bank, merchant, or
other organization has passed a PCI-DSS audit, but then a security
breach involving credit card information occurs sometime later, the PCI
Consortium has increasingly suddenly declared the organization to be
non-compliant. As good as they are, PCI-DSS standards do not require
anything near perfect data security, and no audit is 100 percent
comprehensive. Residual risk will always be present as long as systems
are connected to any network. If PCI-DSS auditors are going to become
legally liable for future data security breaches, the cost to perform
these audits will, unfortunately, most likely skyrocket out of control.
(Hoelzer): While the legal system is an important tool when it comes to
forcing organizations to be responsible, this may mark a dangerous time
for PCI. PCI/DSS isn't perfect but it's a pretty good start. If
lawsuits continue to pile on, however, we could see energy start to
build for the elimination of standards of this kind since they may
appear to be leading toward greater liability rather than reduced
liability.]
Comment