14 DAY TRIAL // Four years after a major data breach occurred at CardSystems Solutions, the auditing company that certified the payment processor is taken to court by the bank that contracted with CardSystems based on its report. Experts say that the lawsuit could set an important precedent for auditor accountability.
Utah-based Merrick Bank sued Savvis Inc. last year for negligence in the process of auditing the security solutions and policies implemented by CardSystems, an action that ended up costing the bank $16 million in fraud-related losses. The trial is set to commence in Arizona in the near future, according to Wired.
In June 2004, Savvis certified CardSystems Solutions as being compliant with the Cardholder Information Security Program (CISP), the precursor of today's Payment Card Industry Data Security Standard (PCI DSS). As a result Merrick Bank signed a contract with CardSystems to process credit card transactions for its customers.
However, after only three months, hackers obtained unauthorized access to the processor's network, from where they stole the details of 263,000 credit cards, which were stored in unencrypted form. Another 40 million cards, which were never confirmed stolen, were nevertheless considered compromised because of the incident.
Even though Visa added CardSystems Solutions to its list of certified payment processors based on the Savvis report, after the breach was investigated it concluded that the company was not actually compliant. Visa also noted that CardSystems did not pass an audit in 2003, which was performed by a company acquired by Savvis shortly before the 2004 audit.
Merrick Bank alleges that Savvis failed to "competently and professionally assess CardSystems’ compliance," since it was later discovered that the processor was storing credit card data unencrypted for at least five years before the incident and its firewall did not meet the Visa requirements. None of these security lapses were mentioned in the Savvis audit report sent to Visa in order to get certification.
Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania’s Wharton School, told Wired that in her opinion "it’s not clear as a matter of law to what extent a certification authority has liability in this particular context for a negligent misrepresentation of the security level of an enterprise."
This trial might clear that up and set the scene for future ones. RBS WorldPay and Heartland Payment Systems, two large U.S.-based payment processors, suffered major data breaches that already resulted in millions of dollars being lost to fraud a few months back. Both companies were compliant with PCI DSS when the incidents occurred, but were later removed from Visa's list of certified service providers.