Wanting to get to the bottom of the story, and maybe get some rationale on why they're suing the auditor, not the company which got hacked I tried to go to the stables and get it right from the horse's mouth. This proved to be much more difficult than one would think. First, Merrick Bank doesn't seem to like people calling to talk about non-account matters, and has no specific phone number for non-account issues. After bouncing around the switchboard I spoke with someone who identified herself as Myleen (sp?) and would only say that "Card Works official statement on this is No Comment" and hung up. I'm fascinated by this reply, although I'm not entirely surprised. Merrick Bank appears to be a little short of friendly if you don't have an account with them. Their security page on their site is also... amusing.
So this begs the question - why sue the auditor? It's clear that Merrick Bank will have to prove that the auditor (Savvis) was both negligent and that the issue in question (the condition that led to the breach) was present at the time of the audit. That's going to be challenging at best, although this quote from a Wired article may prove otherwise...
After the hack, it was discovered that CardSystems, which has since filed for bankruptcy, had been improperly storing unencrypted card data for more than five years, something Savvis should have known and reported to Visa. The processor’s firewall was also non-compliant with Visa’s standards. “Consequently, Savvis’ . . . indicating that CardSystems was in full compliance with CISP was false and misleading,” the complaint says. (Wired News)
So with that in mind, the suit moves forward, and PCI continues to be thrashed about in these troubled waters we live in. Let's take a step back though and analyze what this type of law suit could do to the already-fragile PCI-QSA ecosystem.
As it stands the Credit Card Industry is largely self-regulated... and VISA and Mastercard have worked pretty hard to get some standards for digital card security in place. They've even built an ecosystem around this self-regulation in the forms of standards bodies, auditors, and vendors ready to take a company which meets the minimum requirements from zero to compliant. Now it would seem as though the foundation for that ecosystem, the QSAs, are being tageted by this Merrick Bank suit. This could spell disaster for the whole ecosystem if Merrick Bank wins this suit, let's make no mistake.
QSAs are faced with a serious issue here. On the one hand they should absolutely be held responsible for the audits they conduct... only someone criminally insane would argue otherwise. On the other side of that coin it can be argued that to hold a QSA accountable for a compliance failure (at some point other than the day of audit) which leads to a compromise or breach is just as insane. This of course breaks the argument back down into its most basic form question which has been debated over and over in academic circles, public forums and on stages all over... what is the role of the PCI-DSS in overall security of credit card data? If we accept that the PCI-DSS is a best-practice regulation and does not in fact guarantee security; and agree that compliance at its best is a point-in-time event... what does that relegate the PCI QSAs to?
It seems like there is a serious crisis brewing. If this suit proceeds, and Merrick Bank should somehow triumph and prove Savvis negligible - the costs of a QSA PCI-DSS audit will undoubtedly skyrocket. Those costs will then be, without a doubt in my mind, translated into fewer audits being done ... and in the end this will lead to (at least a partial) failure of the PCI-DSS.
I'm torn. While I want to see QSA accountability... I also want to see the PCI-DSS evolve and not be undermined by its own sword. As I've said before this is a dangerous time to be in the PCI game...