Announcement

Collapse
No announcement yet.

InfoSEC Company Get Sued PCI-DSS

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • valkyrie
    replied
    Re: InfoSEC Company Get Sued PCI-DSS

    Originally posted by xor View Post
    I found this interesting as well as it should be interesting to watch. It could get very ugly out there. Seems like it's more about assigning blame and who gets to pay the bill.

    Source: Sans

    --Bank Sues Company That Certified CardSystems Solutions Before Breach
    (May 26 & 27, 2009)
    Merrick Bank has filed a lawsuit against Savvis, alleging negligence
    because the company certified CardSystems Solutions as compliant with
    Visa and MasterCard security requirements less than a year before the
    payment processor suffered a massive data security breach. Merrick
    claims that fraudulent transactions resulting from the breach cost it
    US $16 million in payments to the credit card companies for using a
    non-compliant processor, payments to banks affected by the breach and
    legal fees. Attackers were able to steal information on 40 million
    credit card accounts because CardSystems stored unencrypted card data
    on its servers.
    http://www.finextra.com/fullstory.asp?id=20067
    http://www.digitaltransactions.net/n...fm?newsid=2221

    [Editor's Note (Pescatore): Making this charge stick will require
    proving that the non-compliant condition existed at the time of the
    audit and should have been discovered with reasonable diligence. But it
    will be good to see some external attention focused on the PCI audit
    process.

    (Schultz): The issue concerning whether an organization is (but probably
    more importantly, *was* at the time of a data security breach) PCI-DSS
    compliant is becoming increasingly complex. <snip>I]
    Sounds like there may be a burgeoning specialty in the Information Security field:

    Information Security Forensics Analyst (aka, "Liar, Liar, Pants on Fire" Analyst) - one who back tracks through all the documentation that an organization is supposed to keep (I will just mention host/application/network change control packages, configuration management packages, new application/services deployments, new client deployments, etc) to determine if end state (at the point of breach) was dissimilar to the initial state (at the point of the initial audit analysis and sign-off) and exactly what those dissimilarities might be.

    I have performed something of this nature. I wouldn't do it again unless I was paid a s**tload lot more money.

    I am not a lawyer, however, I greatly doubt that this lawsuit will stand unless the analysts missed one or more vulnerabilities through which one could drive a truck; like the alleged unencrypted card data, and that it can be proven that it was not purposely hidden from them and they just missed it. A company performing any type of non-attestation (company financials) IS audit can only really be held accountable for their findings regarding the contractually scoped network and components at the point in time that the audit is performed and signed off. This is why when audits or assessments are performed one keeps every scrap (generated logfiles/configs, screen shots, handwritten notes, the kleenex that the IT manager sneezed upon) as supporting evidence of initial state findings. And God help that analyst who says, "That? I didn't think that was important enough to keep..."

    JMTC...

    Regards,

    valkyrie
    __________________________________________
    sapere aude

    Leave a comment:


  • xor
    started a topic InfoSEC Company Get Sued PCI-DSS

    InfoSEC Company Get Sued PCI-DSS

    I found this interesting as well as it should be interesting to watch. It could get very ugly out there. Seems like it's more about assigning blame and who gets to pay the bill.


    Source: Sans

    --Bank Sues Company That Certified CardSystems Solutions Before Breach
    (May 26 & 27, 2009)
    Merrick Bank has filed a lawsuit against Savvis, alleging negligence
    because the company certified CardSystems Solutions as compliant with
    Visa and MasterCard security requirements less than a year before the
    payment processor suffered a massive data security breach. Merrick
    claims that fraudulent transactions resulting from the breach cost it
    US $16 million in payments to the credit card companies for using a
    non-compliant processor, payments to banks affected by the breach and
    legal fees. Attackers were able to steal information on 40 million
    credit card accounts because CardSystems stored unencrypted card data
    on its servers.
    http://www.finextra.com/fullstory.asp?id=20067
    http://www.digitaltransactions.net/n...fm?newsid=2221

    [Editor's Note (Pescatore): Making this charge stick will require
    proving that the non-compliant condition existed at the time of the
    audit and should have been discovered with reasonable diligence. But it
    will be good to see some external attention focused on the PCI audit
    process.

    (Schultz): The issue concerning whether an organization is (but probably
    more importantly, *was* at the time of a data security breach) PCI-DSS
    compliant is becoming increasingly complex. If a bank, merchant, or
    other organization has passed a PCI-DSS audit, but then a security
    breach involving credit card information occurs sometime later, the PCI
    Consortium has increasingly suddenly declared the organization to be
    non-compliant. As good as they are, PCI-DSS standards do not require
    anything near perfect data security, and no audit is 100 percent
    comprehensive. Residual risk will always be present as long as systems
    are connected to any network. If PCI-DSS auditors are going to become
    legally liable for future data security breaches, the cost to perform
    these audits will, unfortunately, most likely skyrocket out of control.
    (Hoelzer): While the legal system is an important tool when it comes to
    forcing organizations to be responsible, this may mark a dangerous time
    for PCI. PCI/DSS isn't perfect but it's a pretty good start. If
    lawsuits continue to pile on, however, we could see energy start to
    build for the elimination of standards of this kind since they may
    appear to be leading toward greater liability rather than reduced
    liability.]
Working...
X