Jun 04 2009
If you haven’t heard already, Merrick Bank is suing Savvis for negligence regarding the CardSystems compromise back in 2005. Merrick is contends that Savvis was grossly negligent when they certified CardSystems to Visa and that they hadn’t done a proper assessment, essentially rubberstamping CardSystems as compliant. It is know for certain that a number of CardSystems databases were not encrypted, had never been encrypted; now it’s going to be up to the lawyers to prove that Savvis didn’t dig deep enough in their assesment to the level of negligence. How this gets resolved in court is going to be something that will have a definite effect on everyone in the PCI industry.
I think this incident will be a wake up call for the industry as a whole. Whether or not it ever goes to trial or if Merrick win’s the case, it’s going to shake the tree and there will be some people who fall out. The fact that Merrick thinks they have a case and can prove it in court is enough to scare a lot of people who don’t have the resources Saavis does to defend themselves and make them rethink how they do assessments. It’s also going to make a lot of them rethink whether they should be in this space in the first place; some companies definitely shouldn’t. No one wants to be the next company who’s sued.
One point that’s being overlooked in some of the commentary I’m reading is that the CISP program is NOT the PCI DSS. CISP was an immature standard, it didn’t have all the requirements that PCI does and in general it wasn’t being enforced with the same rigor that PCI is. Not that PCI is perfect either, but it’s a far cry better than CISP. How this trail goes forward will definitely impact the next itteration of PCI, but it’s not the two standards are not identical and what is discovered during this court case won’t be a validation or condemnation of the PCI DSS. Sorry guys, but even if Merrick wins, you won’t be able to use it as proof that PCI is broken. Of course, that’s not even taking into account that we haven’t even determined what the definition of ‘broken’ is when we’re applying it to an industry standard. But that’s a rant for some other day.
For some background inforamtion on this lawsuit, start by reading Kim Zetter’s Wired article “In Legal First, Data-breach Suit Targets Auditor“. Once you’ve digested that article, take a break and sit down to read David Navetta’s post “Merrick Bank vs Savvis: Analysis of the Merrick Bank Complaint“. David’s a lawyer who explains what’s at stake, what’s going to be required to win the case and what the legal definition of ‘negligence’ is. He’s probably looking forward to this trail in the same way many people would look forward to a playoff series. Another pair of articles are Rafal Los’ “Dangerous Times for PCI Regulations, Auditors” and a reply to the article over at Blackfistsecurity, “Is suing a QSA the right thing to do?” Finally, wrap it all up with an article from my podcast cohost, Rich Mogull, “How Market Forces Can Fix PCI” I know it’s a lot of reading, but there’s a lot to think about concerning what’s working in the PCI arena and what’s not.
In closing, remember two things: PCI is not perfect, but it is raising the security bar for many of the companies affected by it and that PCI is only a baseline you need to hit to satisfy the assessor and Visa/MC/AX. Making your company secure is up to you and no standard is going to be effective if merchants are actively trying to do the bare minimum. As an assessor, I can do my best (or my least) to make sure you’ve lived up to the letter of the law, but it’s up to you to make sure you’ve lived up to the spirit.
Update: A couple additional articles of not on this issue:
- PCI compliance accused of becoming meaningless if not correctly enforced – The problem is, the exact same thing same thing could be said about any compliance effort, so I’m not sure if this is a valid complaint.
- Why suing auditors won’t solve the data breach epidemic – Get a couple of beers into any security professional and you’ll probably hear horror stories that you wish you hadn’t. One of the reasons I usually stop at one beer.