Trustwave sued for PCI’s faults
There can be little doubt that there were huge security failings at Target when it got breached late last year and 40 million credit card details were stolen. It had, just two months previously, been assessed compliant with the PCI DSS security standard. While we are not privy to the details of the assessment, two months later Target was clearly not or no longer compliant (failure to adequately segment its networks, storage of the cards’ security codes and more).
Now Target’s PCI qualified security assessor (QSA), Trustwave, is being sued for failures that led to ‘monumental’ damage. That is going to be difficult to prove. Trustwave will have followed the PCI DSS guidelines. Proving that it did not will be difficult. In fact, it will be easier to demonstrate failings in PCI DSS than in Trustwave’s commitment to it. “Several years ago,” Ilia Kolochenko, CEO at High-Tech Bridge told me by email, “I notified the PCI Council about vulnerabilities (including a critical one) on its own website. Obviously, PCI DSS standard is continuously improving, but I think that practically speaking it’s still far from being perfect today.”
Now Target’s security monitoring firm, Trustwave, is being sued for failures that led to ‘monumental’ damage. That is not merely something difficult to prove, it is monumentally absurd. If we were to sue our anti-virus supplier every time it fails to stop a virus, we would very soon have no security industry at all. Perhaps we should sue the police for not stopping that car theft in Much-Binding-in-the-Marsh in 1952…
No, this law suit is absurd and deserves to fail monumentally. It is just the banks doing what they do best – attempting to spread the blame elsewhere, and make someone else pay for their own errors. For make no mistake, the fault here lies with the finance industry more than anyone else. It lies with the banks for not insisting that bank cards switch to the far more secure EMV (chip and PIN) standard, and with the PCI Security Standards Council for spreading the lie that conforming to PCI DSS will ensure security.
(As an aside, some four weeks ago I wrote to the PCI Security Standards Council – the group that develops the PCI Data Security Standard – and asked: “Do all the recent US retail breaches prove that PCI DSS doesn’t work?” I did not get a reply.)
So, is Trustwave faultless? Certainly not. Trustwave provided both the security assessment and the security mitigation. This is clearly wrong. If it did not pick up problems in the assessment, it would not be looking for them in the mitigation. But it did so because it was allowed to do so. So once again it is PCI that is at fault. You cannot blame Trustwave for making money where it is allowed to do so. It is PCI that must ensure that assessment and mitigation are segregated.
Until we escape from the wrong and blinkered view that compliance provides security, there will be more Targets in the future.