PCI lawsuit

In the case Merrick Bank Corporation v. Savvis, Inc., the bank is taking on the QSA firm who certified the processor, CardSystems Solutions Inc.

It was only a matter of time...about 3 years ago, large CPA firms (including the practice I once lead) dropped out of this boutique certification service offering. Can you say smart move, or, just a keen sense of detailed analysis--considering how do you really attest to all the systems (holding card numbers) are compliant even at a point-in-time when you could have hundreds of POS (Point of Sales) and backend servers and networks internetworked. We all have SAS 70’s for what they’re worth but it’s an assurance of the controls, chosen by the company being audited and the tested control as prescribed. And, yes, auditing is about sampling; and due diligence as defined in Sarbanes-Oxley; but PCI pledges certification then post the list of company on a website.

The past meets the present: In 2005, 40 million credit cards of all brands exposed by the payment-card processor was a result of a vulnerability in the processor’s card systems—resulting, among many other things, a ball park figure of $16 Million incurred by Merrick Bank (an aquiring bank of about 125,000 merchants). So, four years later, Merrick [and I must add they have always been on top of the PCI requirements and due diligence from a best practices as well as contractual obligation] has filed a lawsuit with Savvis for negligence regarding their audit of CardSystems who was Visa Cardholder Information Security Program (CISP); predecessor to DSS and ROC as we know today.

Of course, proof means everything and good lawyers can be very convincing but the certification process is sure to be analyzed along with the jurisdiction, intent, and actual Negligence andNegligent Misrepresentation (Count 1 and 2, respectively) at the time of incident.

I talked about downstream impact before so what does this actually mean to all of us?

• Immediate extensive scrutiny and testing by QSAs prior to issuing ROCs
• More man hours (and additional charges) for any PCI assessment and audit leading to certification
• But the real news is perhaps PCI will issue agressive standards; not just clarification still subject to QSA interpretations

Industry standards, certifications , and regulatory/governmental compliance is headed toward accountability not just toward the company but the individuals asserting compliancy. Like executives for financial reporting; and HIPAA now for Business Associates, but will Auditors be assigned responsibility (when they are merely testing the controls)?

Definitely a story to follow from the U.S. District Court of Eastern District of Missouri which will continue to evolve the information security and legal synergy....and further support company spend on IT for the "sake" of PCI.