One of the recurring themes of the Target data breach is “compliance does not guarantee security.” As if in response to the open question of whether compliance auditors should be looked at more closely, banks have started a lawsuit against Target’s data security vendor Trustwave, along with Target itself Monday in Chicago federal court. There are already over 90 lawsuits commenced by consumer or banks against Target, but this is the first to focus on Trustwave, which audits companies’ IT systems to ensure that they comply with credit card security regulations.
In the lawsuit, the banks claim that Trustwave “has performed more Payment Card Industry Data Security Standard (PCI DSS) certifications than all other companies combined.” The banks further claim that Trustwave advertised its “deep expertise” in PCI compliance and that as recently as Sept. 20th found no vulnerabilities in Target’s computer systems.
Although Trustwave hadn’t come up in prior media reports, the banks contend that Trustwave failed to meet industry standards and, in turn, allowed hackers to steal Target customer’s personal identity information and failed to timely discovery and report the date breach.
Trustwave is what is known as a qualified security assessor (QSA). QSA’s provide security assessments of retailers like Target that are required to have PCI compliance. Large companies are required to undergo PCI security audits every year and have to undergo scans of their networks quarterly to assess vulnerabilities.
Interestingly, one of the remedies being sought by the banks is an injunction preventing Target from advertising that Target’s IT systems are in compliance with PCI DSS until an independent entity appointed by the court confirms it. The banks estimates that they will spend about $172 million reissuing credit and debit cards, and that their total losses could be $18 billion.
There’s been some skepticism about how effective PCI standards are, especially since the Target breach. The head of the PCI Security Standards Council has downplayed these concerns, but at the same time warned that compliance is the “bare minimum” of things that should be done for security.
This should be an interesting case as a lot of finger pointing can be expected.