If any security professionals feel that issues of managing and imposing compliance and governance requirements on a business are a minor irritant fit only for the terminally pedantic, news from the USA may change their minds.
Two US banks that suffered as a result of the major attack against the Target supermarket chain earlier this year have decided to sue Trustwave Holdings for damages. Trustwave is the company responsible for validating Target’s compliance with the Payment Card Industry Data Security Standard (PCI-DSS).
The case hinges on the discovery that the hack succeeded because the attackers found that the software running the card readers was essentially undefended. This meant that malware could be inserted into software that simply collected the card details of Target customers as they were read and forwarded the information to the hackers.
Now Trustmark National Bank and Green Bank N.A, have filed a suit in federal court in Chicago, suing not only Trustware, but also Target itself, for not protecting customer payment card data. The lawsuit seeks class action status, which would mean that other parties considering themselves injured by the attack can join in. Both companies face a number of charges, including negligence, deceptive practices, and negligent misrepresentation.
The suit seeks compensatory and statutory damages for what the banks claimed were the losses they sustained in cancelling and reissuing credit and debit cards that were exposed in the Target data breach.
PCI security audits on large enterprises such as Target take place every year. This includes having to perform onsite vulnerability scans of their networks at least once each quarter. As a result of the attack, Target has already faced the PCI compliance penalty of a very large fine for its PCI compliance failure.
One possible line of defence the company might take is the recent history of PCI compliance testing. There have been several serious security breaches within enterprises that had been certified as compliant, and this has prompted questions as to the strength of the compliance testing processes.
Compliance testing is performed by independent third party businesses called Qualified Security Assessors (QSAs), and Trustwave is one of this band of businesses. In addition to compliance testing, it also provides additional security services that help businesses reach the compliance standards. It was the company that undertook the compliance testing for Target.
The court case is likely to hinge on the fact that the PCI Standards Council dismisses any suggestion of weakness in its compliance validation processes. Its position is clear – that if a company is breached, it cannot have been compliant. One must assume that Trustwave and Target will base at least part of their defence on compliance validation and vulnerability scans being performed `according to the book’.
So this is a case of some significance, not just on the issue of PCI compliance, but establishing the validity of compliance testing procedures across the board. It may lead to much stricter controls on what is tested and, more importantly, how it is tested. Simply asking business users questions, and ticking boxes based on the answers, may no longer be considered rigourous enough.
