Wednesday, June 3, 2009

Dangerous Times for PCI Regulations, Auditors

An interesting predicament which could completely undermine the whole of the PCI-DSS initiative has landed in the lap of Savvis... in the aftermath of the CardSystems Solutions massive hack.  A law suit has been filed by Merrick Bank is targeting not the company that got hacked - but rather their auditor who certified them PCI compliant!  Savvis is being targeted because they allegedly missed something that led to the massive breach which CardSystems experienced.

  Wanting to get to the bottom of the story, and maybe get some rationale on why they're suing the auditor, not the company which got hacked I tried to go to the stables and get it right from the horse's mouth.  This proved to be much more difficult than one would think.  First, Merrick Bank doesn't seem to like people calling to talk about non-account matters, and has no specific phone number for non-account issues.  After bouncing around the switchboard I spoke with someone who identified herself as Myleen (sp?) and would only say that "Card Works official statement on this is No Comment" and hung up.  I'm fascinated by this reply, although I'm not entirely surprised.  Merrick Bank appears to be a little short of friendly if you don't have an account with them.  Their security page on their site is also... amusing.

  So this begs the question - why sue the auditor?  It's clear that Merrick Bank will have to prove that the auditor (Savvis) was both negligent and that the issue in question (the condition that led to the breach) was present at the time of the audit.  That's going to be challenging at best, although this quote from a Wired article may prove otherwise...
After the hack, it was discovered that CardSystems, which has since filed for bankruptcy, had been improperly storing unencrypted card data for more than five years, something Savvis should have known and reported to Visa. The processor’s firewall was also non-compliant with Visa’s standards. “Consequently, Savvis’ . . . indicating that CardSystems was in full compliance with CISP was false and misleading,” the complaint says.  (Wired News)
  So with that in mind, the suit moves forward, and PCI continues to be thrashed about in these troubled waters we live in.  Let's take a step back though and analyze what this type of law suit could do to the already-fragile PCI-QSA ecosystem.

  As it stands the Credit Card Industry is largely self-regulated... and VISA and Mastercard have worked pretty hard to get some standards for digital card security in place.  They've even built an ecosystem around this self-regulation in the forms of standards bodies, auditors, and vendors ready to take a company which meets the minimum requirements from zero to compliant.  Now it would seem as though the foundation for that ecosystem, the QSAs, are being tageted by this Merrick Bank suit.  This could spell disaster for the whole ecosystem if Merrick Bank wins this suit, let's make no mistake.

  QSAs are faced with a serious issue here.  On the one hand they should absolutely be held responsible for the audits they conduct... only someone criminally insane would argue otherwise.  On the other side of that coin it can be argued that to hold a QSA accountable for a compliance failure (at some point other than the day of audit) which leads to a compromise or breach is just as insane.  This of course breaks the argument back down into its most basic form question which has been debated over and over in academic circles, public forums and on stages all over... what is the role of the PCI-DSS in overall security of credit card data?  If we accept that the PCI-DSS is a best-practice regulation and does not in fact guarantee security; and agree that compliance at its best is a point-in-time event... what does that relegate the PCI QSAs to?

  It seems like there is a serious crisis brewing.  If this suit proceeds, and Merrick Bank should somehow triumph and prove Savvis negligible - the costs of a QSA PCI-DSS audit will undoubtedly skyrocket.  Those costs will then be, without a doubt in my mind, translated into fewer audits being done ... and in the end this will lead to (at least a partial) failure of the PCI-DSS.

  I'm torn.  While I want to see QSA accountability... I also want to see the PCI-DSS evolve and not be undermined by its own sword.  As I've said before this is a dangerous time to be in the PCI game... 

NOTE: If you're looking for a brilliant lawyer's-eye view of this case you can read the analysis by David Navetta, here... on his blog "InfoSec Compliance".

7 comments:

Anonymous said...

security@merrickbank.com

LonerVamp said...

Sadly, this bucks up against the powerful forces of economics. Economics of a company to pass an audit "at any cost up to and including lying/subterfuge."* Economics of audit firms to pass their clients to preserve future business.

This is scary stuff, and yet exciting. It should result in more honesty and spending by companies. It should lead to more visibility and power for auditors who aren't going to let a client hide the bad stuff from them or bound them by such limited scope that they can't assess properly, etc.

But it's scary too, as I feel the more layers of laws and standards we wrap around digital security, the more attackers can slip in between the cracks and be far more agile with their lack of rules and boundaries.


*I'm not quoting anything, just labeling a bit of sarcasm...

Anonymous said...

I'm not sure why this is coming to people as such a shock. Anyone who was worked with a QSAC (a company that employs QSAs and sells assessments) knows that QSACs have to sign off on unlimited liability in their contracts. I think all this time, QSAs have been telling themselves that this is entirely theoritical, and that they're "just the auditor."

Guess what? Time to grow up, and realise that when your customer can be fined millions of dollars if you screw up, then there's going to be some accountability. Accountants have dealt with this for years. Hopefully this will result in a weeding out of the QSACs that have pretty much been selling a rubber stamp since PCI started up. Good riddance to 'em.

Rebecca Herold said...

Nice points, Rafal!

I provided my views about this case at http://bit.ly/Wiras (http://www.realtime-itcompliance.com/privacy_and_compliance/2009/06/audits_show_things_at_a_moment.htm)

Chris Mullins said...

If Savvis loses this case, you can expect QSAs to become much more like the Big4 external auditors of the post-Enron era. You can expect a QSA audit to become much more arduous - something akin to a deposition.

Raf said...

@Chris Mullins: You know... I could be OK with that. Formality, rigidity and accountability is what we want in an auditor... right?

"Shopping around" for an auditor who will "overlook" things is a travesty and a slap in the face of the PCI regs...

I'm starting to hope that Merrick Bank wins. *shudder*

pci said...

helpful message

Google+