22 April 2018
Andre Edelbrock


Andre Edelbrock - Ethoca

8Posts 34,344Views 1Comments
Finextra community

Transaction Fraud Systems and Analysis

A community for discussion of Transaction Fraud systems and anlaytical techniques for bank card and financial services organisations.
A post relating to this item from Finextra:

Savvis faces bank lawsuit over CardSystems data breach

26 May 2009  |  13921 views  |  0
Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations...

CardSystems Case Signals Accountability and Liability Shift

26 June 2009  |  6198 views  |  0

A few weeks ago, it was reported that Merrick Bank was suing Savvis, an IT consultancy, for performing a sloppy/inaccurate audit in 2004, of CardSystems compliance with CISP (Cardholder Information Security Program), the predecessor to PCI DSS. Merrick hired Savvis to do the audit prior to signing a contract with Cardsystems to process Merrick's card transactions. Although certified as compliant, it was later found that Cardsystems kept cardholder data unencrypted, and when hackers later breached their systems compromising up to 40 million transaction records, Merrick claims it suffered damages totaling $16 million in fines by Visa and Mastercard as well as other costs to compensate breach victims.

Just a few years earlier, all this might have been swept under the rug with all involved preferring to settle things privately to avoid public embarrassment. Today, however, there is growing awareness and understanding of the value of data, and consumers are angry and feeling vulnerable from the steady stream of high-profile data breach cases reported in the media. Reports such as the Experian Market Insight Snapshot which shows the higher your credit score, the more likely you’ll become a victim of identity theft only serve to amplify this fear.

Huge consumer frustration with government inaction and industry indifference to identity theft, especially in the US, is translating into broad-based public support for holding someone -- anyone -- accountable for securing data and protecting the integrity of our financial records. PCI DSS is supposed to raise the ante, but in reality, it is a weakly enforced standard, full of compliance holes as seen in more recent major breaches at Heartland Payment Systems and Hannaford Supermarkets. At present, it is only possible to know after the fact whether an organization is/was compliant or not.

Kim Zetter, in her recent story about the Savvis lawsuit in Wired, cites Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania’s Wharton School who specializes in information security issues, “we’re at a critical juncture where we need to decide . . . whether [network security] auditing is voluntary or will have the force of law behind it.  For companies to be able to rely on audits . . . there needs to be mechanisms developed to hold auditors accountable for the accuracy of their audits.”

Amen. No question there is a gap between what auditors often receive as insight and cooperation from the client they are auditing, and what is really required to give a full and accurate audit, but if we don't demand legal and financial accountability, that gap will never close. Although my company stands to gain from provision of breach mitigation services, we don't relish it. Accountability and even liability of those claiming to keep data secure is much preferable to trying to catch all the horses after the barn door has been opened.  We'll be watching this suit closely, hoping for everyone's sake that the legal system gets this one right.


Comments: (0)

Comment on this story (membership required)

Latest posts from Andre

Payments Fraud Hurts All of Us

02 July 2009  |  3896 views  |  0 comments | recomends Recommends 0 TagsPaymentsRisk & regulationGroupTransaction Fraud Systems and Analysis

CardSystems Case Signals Accountability and Liability Shift

26 June 2009  |  6198 views  |  0 comments | recomends Recommends 1 TagsCardsSecurityGroupTransaction Fraud Systems and Analysis

Cybercrime Czar? Government bailout for cybercrime?

01 June 2009  |  4691 views  |  0 comments | recomends Recommends 0 TagsSecurityRisk & regulationGroupInformation Security

Thinking and Awareness Needed to Stop Crime, Not Just Tech

27 May 2009  |  4608 views  |  0 comments | recomends Recommends 0 TagsSecurityRisk & regulationGroupInformation Security

Andre's profile

job title CEO
location Toronto
member since 2009
Summary profile See full profile »
As CEO and co-founder of Ethoca I drive the strategic direction of the business and business development.

Andre's expertise

Member since 2009
8 posts1 comments
Andre's blog archive
2009 (8)

Who's commenting on Andre's posts