PCI-DSS Compliance: Part 2
In my previous blog entry I discussed the issue concerning merchants that have been certified as being PCI-DSS compliant being decertified after a data security breach. But there is another extremely important issue connected with PCI-DSS certification after a data security breach—whether (or perhaps better said, to what degree) the certifier is liable when a data security breach occurs. Merrick Bank is suing Savvis on the grounds that Savvis was negligent for certifying CardSystems Solutions as being compliant with the PCI-DSS standard less than a year before CardSystems Solutions’ gigantic data security breach occurred in 2005. This bank alleges that USD 16 million in fraudulent transactions have occurred because of this breach. Perpetrators stole information pertaining to 40 million credit card accounts because CardSystems stored credit card information in clear text.
As I stated previously, being compliant with the PCI-DSS standard does not equate to having perfect information security—there is no such thing. Security breaches can and will occur in organizations that have the very best information security practices. At the same time, however, Savvis appears to have badly overlooked the fact that CardSystems was storing credit card data in clear text on its servers. How a competent audit effort could have missed what should have been a critical finding is truly difficult to understand. Of course, the devil could be in the details – it may turn out that Savvis was never given access to review the specific server or informed of the specific server’s existence. Based on the currently available evidence, however, Merrick Bank’s lawsuit appears to have considerable merit.
But what about cases in which a merchant has implemented and conscientiously maintained all the control measures that PCI-DSS mandates, has passed a very thorough and competent PCI-DSS audit, but then a data security breach occurs afterwards? How liable is the Qualified Security Assessor (QSA)? My suspicion is that the Merrick Bank vs. Savvis litigation will open up the proverbial flood gates for lawsuits of this nature. The ruling in this case will also set a powerful precedent for future rulings in cases of this nature. If so, it is easy to anticipate that organizations will start to think twice about becoming QSAs because of the risk of being sued for data security breaches. Whereas organizations have been eager to join the ranks of QSAs, organizations are likely to start to be hesitant about performing PCI-DSS audits. And if PCI-DSS auditors are going to realize more legal risks in connection with future data security breaches, the cost to perform these audits will, unfortunately, most likely skyrocket out of control. If this happens, merchants will not only grumble even more about having to obtain PCI-DSS certification, but will in all likelihood choose the QSA that submits the lowest bid. But you get what you pay for—chances are, the lowest bidder will very often be the least qualified audit service provider, something that will in turn lead to more data security breaches, which will then lead to more lawsuits against QSAs. A vicious cycle of events is thus likely to occur. So stay tuned—many interesting PCI-DSS-related events and rulings are about to happen.