Two U.S. banks are suing Target’s Qualified Security Assessor, Trustwave, for damages incurred during the holiday season breach at Target, accusing the company of failing to identity security issues. The suit also claims that Trustwave’s round the clock monitoring services for Target failed to detect the intrusion into Target’s network for a full three weeks. See computerworld.com
Trustwave was just let off the hook from a similar class action suit filed by a former state senator against the South Carolina Department of Revenue, Trustwave and other parties for a database breach at the revenue department which was using Trustwave to monitor its systems. See postandcourier.com for more information.
Many headline breaches have occurred at companies certified as PCI compliant, but this is the first time that the fingers are pointing to the assessor. Gartner has long argued that PCI qualified security assessors like Trustwave should not be allowed to sell remediation and ongoing security services as Trustwave did for Target, according to the lawsuit. This has the effect of potentially destroying the integrity and independence of the assessment process.
Indeed as we wrote in a November 20, 2008 research note titled “PCI Quality Assurance Program Does Not Go Far Enough” – “The most significant enterprise complaint about PCI compliance practices is that many assessors also offer products and services that can be used to meet DSS requirements and ensure compliance to the audit. The PCI takes the same self-regulating approach to this issue that is widely regarded as having failed in the financial auditing industry and having led to the separation of consulting and accounting audit services. Gartner believes that the only truly effective approach is for the PCI to prohibit QSAs from performing remediation services for enterprises they are assessing.”
Nothing has changed on this front since 2008. In fact the situation has been exacerbated. It’s extremely difficult to find independent assessors who are not selling security services. (In fact I only know of two among the hundreds out there– I would appreciate referrals if you know of more). And the QSAs keep adding to the litany of security services that they offer.
Points to consider:
a) PCI compliance has become a big money making enterprise for the QSAs selling remediation and security services and their customers have been lulled into a false sense of security – at least in the C-level suite.
b) PCI assessor contracts generally state that the assessors have no liability if their customers are breached. But shouldn’t they be responsible for their assessments, at least for that point in time?
c) The PCI Council’s typical response to a PCI compliant entity that has been breached has been that the entity may have been compliant at the time of the ROC (report of compliance) but since became non-compliant after the report was filed. Therefore you can’t blame the assessor.
1. This argument loses validity when the assessor provides continual security monitoring services after the PCI audit.
2. Further, when the assessors offer security services, they are auditing themselves. You don’t have to be a security specialist to see that is a conflict of interest!
So what exactly is the point of PCI compliance? Sure no one can argue with good solid security standards and a lot of smart people have put some good thoughts into the PCI standard.
Personally, I think the standard is very good and thorough. It’s the enforcement process I have issues with. It’s a process rife with conflict of interests between assessors and payment processors, assessors with themselves, and even assessors with at least one card brand.
Unfortunately, I imagine that this particular lawsuit will be settled out of court, with all the documents sealed from public view. The last thing the PCI industry wants to do is have all these conflicts aired and scrutinized in court.
But maybe – and this is highly doubtful– the PCI machine will take its queue from the financial services auditing industry and voluntarily end the conflict of interests. Just as the big accounting firms had to split their auditing and consulting practices, so should the PCI assessment firms split their auditing and security services.
If nothing else changes, at least companies who have to comply with PCI will likely spend more time looking for independent security assessors. That’s just basic common sense.