PCI Auditor becomes PCI Defendant

The breach at CardSystems Solutions back in 2004 resulted in one of the largest credit card losses at that time, with an estimated 40 million compromised accounts.  Now fast forward almost 5 years to present day, and this incident is still wreaking havoc on our legal system – this time, however, it is the PCI auditor, Savvis, that is being sued for  negligence in certifying that CardSystems was compliant (for more details see the full story at Wired).  The plaintiff in this case is Merrick Bank, a customer of CardSystems who is claiming that their decision to do business with CardSystems was predicated on meeting the card system’s standards (known as CISP at that time).

As an IT Security company, it will definitely be interesting to watch this case progress and see how the courts view these complex legal issues.  However, more importantly, it only raises the need to remind business out there that PCI certification does not guarantee your safety.  It is merely a set of best practices, that when followed properly, will lower your overall risks.  Managing IT security is not a “once a year” process to achieve certification, rather it needs to be a proactive, continual life-cycle process that is driven throughout all aspects of the business on a regular basis.

And now with the harsh economic environment we hear customers asking “what is the least I can do to achieve my PCI certification?”  Obviously, this check-box mentality is being driven by the need for compliance rather than security.  However, leveraging a true security life-cycle process that will meet regulatory requirements will not only help you achieve the certification, but if done properly, can actually help generate higher returns on your investments and more cost savings.  This can only be done at a strategic level, and will never be achieved using the tactical check-box approach so many business have come to rely on.

Additionally, I think this should also make customers start to take a longer look at who is conducting their certification testing. Is the cheapest solution the right choice?  Is the price being driven lower through over-use of automated tools that don’t provide a true perspective to the underlying risks in an organization?  Is the auditor too close to the organization because they have potential future business at stake if a bad report were generated?  Should the company providing the PCI auditor, who is supposed to be validating the results, also be used for the technical testing?  Or, simply, are too many corners being cut trying to maximize profits by creating cookie cutter auditors carrying generic checklists rather than leveraging more expensive security professionals?

Only time will tell, but the outcome of this case could drastically change the PCI Auditor space – let’s just hope it is for the better.