16 July 2018
Keith Appleyard

Please Engage Brain

Keith Appleyard - available for hire

60Posts 306,392Views 107Comments


A place to share stuff that isn't at all fintec related but is amusing, absurd or scary.
A post relating to this item from Finextra:

Savvis faces bank lawsuit over CardSystems data breach

26 May 2009  |  14043 views  |  0
Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations...

Does Merrick have a case against Savvis?

27 May 2009  |  4973 views  |  1

Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations.

However, do they have a case?

The PCI Data Security Standard Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Approved Scanning Vendors (ASVs) are recognised by the PCI Security Standards Council (PCI SSC) to perform PCI data security scanning, whilst Qualified Security Assessors (QSAs) are recognised by the PCI SSC to perform PCI data security assessments.

The SAQ considers the 12 PCI DSS Requirements as one-liner’s – eg No. 3 “Protect stored cardholder data” or  No. 9 “Restrict physical access to cardholder data” – that’s it. It’s entirely at the Merchant/Service Providers internal discretion as to how diligently they conduct the self assessment

Service Providers such as Checkpoint would only be required to perform an annual SAQ, and have a quarterly Network scan by an ASV.

I can find no evidence that Savvis was ever on the list of QSAs in their own right. Savvis still offer a PCI Compliance service in which they partner with an unnamed ASV – but who is not described in the literature as a QSA.

So a case could be made that Merrick should have done their homework on PCI DSS before selecting Savvis; if they wanted more than just a Network Scan, but wanted assurance that Cardholder data was protected, then they should have commissioned a Report on Compliance by a QSA.

caveat emptor

TagsCardsRisk & regulation

Comments: (1)

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 06 June, 2009, 03:27

I have to agree with the detail of Keith's arguments.  However, the fact that we are increasingly drawn into these excrutiatingly detailed examinations of audit processes points to an deep mallaise.  Empirically, PCI is looking increasingly impotent.  I say bravo that the US Homeland Security Committee has asked the plain question, Has PCI compliance curtailed cyber crime?

It is unedifying to debate whether or not Heartland for instance was "really" PCI compliant.  And it does the consumer no good at all when compromised institutions resort to suing their auditors.  Security audit -- like any audit -- is a very limited tool for combatting crime.  Audits find problems but the absence of audit findings does not mean an absence of problems.  The PCI regime will help prevent accidental breaches and amateur attacks but it is surely powerless against organised crime and inside jobs.

Rather than piling on more and more compliance requirements, we need to render stolen cardholder data useless to criminals. 

Stephen Wilson, Lockstep.

Be the first to give this comment the thumbs up 0 thumb ups!
Comment on this story (membership required)

Latest posts from Keith

Barclays On-line Banking deserves better error messages

02 January 2014  |  14597 views  |  1 comments | recomends Recommends 0 TagsMobile & onlinePaymentsGroupWhatever...

RBS does have robust procedures

01 October 2013  |  3655 views  |  0 comments | recomends Recommends 0 TagsMobile & onlinePaymentsGroupWhatever...

National Savings and Investments are rather too lethargic

17 April 2013  |  14042 views  |  0 comments | recomends Recommends 1 TagsSecurityMobile & onlineGroupWhatever...

RBS Internet Banking is not for the English

28 January 2013  |  5749 views  |  0 comments | recomends Recommends 0 TagsMobile & onlineGroupWhatever...

RBS don't seem to understand basic book-keeping rules

26 June 2012  |  6501 views  |  5 comments | recomends Recommends 2 TagsPaymentsGroupWhatever...

Keith's profile

job title IT Consultant
location Bromley
member since 2008
Summary profile See full profile »
Focussing on IT Strategy and Systems Architecture issues, primarily in the Payment Card Industry - scope is Global. SME on topics such as Data Protection and Encryption.

Keith's expertise

Member since 2007
60 posts107 comments
What Keith reads

Who's commenting on Keith's posts