Blog article
See all stories »

An article relating to this blog post on Finextra:

Savvis faces bank lawsuit over CardSystems data breach

Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations...


See article

Does Merrick have a case against Savvis?

Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations.

However, do they have a case?

The PCI Data Security Standard Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Approved Scanning Vendors (ASVs) are recognised by the PCI Security Standards Council (PCI SSC) to perform PCI data security scanning, whilst Qualified Security Assessors (QSAs) are recognised by the PCI SSC to perform PCI data security assessments.

The SAQ considers the 12 PCI DSS Requirements as one-liner’s – eg No. 3 “Protect stored cardholder data” or  No. 9 “Restrict physical access to cardholder data” – that’s it. It’s entirely at the Merchant/Service Providers internal discretion as to how diligently they conduct the self assessment

Service Providers such as Checkpoint would only be required to perform an annual SAQ, and have a quarterly Network scan by an ASV.

I can find no evidence that Savvis was ever on the list of QSAs in their own right. Savvis still offer a PCI Compliance service in which they partner with an unnamed ASV – but who is not described in the literature as a QSA.

So a case could be made that Merrick should have done their homework on PCI DSS before selecting Savvis; if they wanted more than just a Network Scan, but wanted assurance that Cardholder data was protected, then they should have commissioned a Report on Compliance by a QSA.

caveat emptor

5581

Comments: (1)

Stephen Wilson
Stephen Wilson - Lockstep Consulting - Sydney 06 June, 2009, 03:27Be the first to give this comment the thumbs up 0 likes

I have to agree with the detail of Keith's arguments.  However, the fact that we are increasingly drawn into these excrutiatingly detailed examinations of audit processes points to an deep mallaise.  Empirically, PCI is looking increasingly impotent.  I say bravo that the US Homeland Security Committee has asked the plain question, Has PCI compliance curtailed cyber crime?

It is unedifying to debate whether or not Heartland for instance was "really" PCI compliant.  And it does the consumer no good at all when compromised institutions resort to suing their auditors.  Security audit -- like any audit -- is a very limited tool for combatting crime.  Audits find problems but the absence of audit findings does not mean an absence of problems.  The PCI regime will help prevent accidental breaches and amateur attacks but it is surely powerless against organised crime and inside jobs.

Rather than piling on more and more compliance requirements, we need to render stolen cardholder data useless to criminals. 

Stephen Wilson, Lockstep.

Keith Appleyard

Keith Appleyard

IT Consultant

available for hire

Member since

17 Aug 2007

Location

Bromley

Blog posts

60

Comments

111

This post is from a series of posts in the group:

Whatever...

A place to share stuff that isn't at all fintec related but is amusing, absurd or scary.


See all

Now hiring