Target, PCI Auditor Trustwave Sued By Banks Trustwave apparently certified the retailer as PCI compliant -- but can PCI assessors be held liable for data breaches? by Mathew Schwartz Infoweek
July 07, 2015Target, PCI Auditor Trustwave Sued By Banks Trustwave apparently certified the retailer as PCI compliant -- but can PCI assessors be held liable for data breaches? by Mathew Schwartz Info Week
The security firm Trustwave and the discount retailer Target have both been named in a lawsuit filed this week by Trustmark National Bank and Green Bank.
The banks are seeking class-action status for the lawsuit, as well as $5 million in damages to cover the cost of cancelling and reissuing some of their MasterCard-branded cards, which were among the 40 million credit and debit cards stolen from Target. The damages would also cover the "absorption of fraudulent charges made on the compromised payment cards, business destruction, lost profits, and/or lost business opportunities," according to the complaint.
The complaint also accused Target of failing to "safeguard and protect PII [personally identifying information] and sensitive payment card information," in part by not being compliant with Payment Card Industry Data Security Standards (PCI DSS). "Because Target and Trustwave failed their duties to 110 million customers, it falls to the banks and the other [class-action] members to protect those customers by reissuing their credit and debit cards, and communicating with those customers to prevent fraud and repay any fraudulently made purchase."
As American Banker first reported, the lawsuit revealed for the first time that Trustwave, referenced in the complaint the as having "deep expertise in PCI compliance," apparently served as Target's PCI-approved Qualified Security Assessor (QSA) while monitoring its networks for signs of intrusion. "Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target's systems and compromises of PII or other sensitive data," the complaint reads.
But the complaint accused Trustwave of failing to provide the level of security that it promised -- and failing to meet industry standards, since the data breach continued for nearly three weeks on Trustwave's watch before it was detected by third parties and reported to Target.
Abby Ross, a Trustwave spokeswoman, told us via email: "Our company's policy is not to confirm that any party is a customer, not to comment on specific customers, and not to comment on pending legal matters." Likewise, Target spokeswoman Molly Snyder said via email that it typically doesn't comment on pending litigation.
Will the lawsuit, which accuses Target and Trustwave of collectively failing to prevent the largest retail data breach in US history, pass muster -- or even spark PCI DSS changes?
A spokesman for the PCI Security Council, which administers the PCI DSS, didn't immediately respond to an emailed request for comment about the lawsuit and the apparent attempt to hold a PCI auditor liable for its security assessment.
It's important to note that many of the allegations contained in the report are based on press reports and suggestions -- but no solid evidence -- that Target failed to comply with PCI DSS. "USA Today, among other sources… reported Target was likely not PCI DSS compliant because 'the attack, involving an enormous amount of data, went on essentially unnoticed for 18 days,'" the lawsuit reads.
In fact, Target previously confirmed that it was certified as being PCI compliant not long before the November 2013 data breach began.
The lawsuit also quoted this publication: "according to Infonationweek.com [sic], the Target data breach should never have happened." This refers to an analysis by Forrester analyst John Kindervag, who said that the theft of CVV codes "shows they were being stored," which would have violated PCI DSS. "This is a breach that should've never happened."
But Kindervag's analysis dates from Dec. 19, the day that Target first publicly confirmed the breach. Since then, digital forensic investigators have discovered that the memory-scraping malware employed by attackers intercepted card data from point-of-sale system memory in the moment after the card was swiped but before it could be encrypted and stored. Thus, for the purposes of this breach, it's irrelevant whether Target was storing CVV codes or not, because that's not how attackers stole the credit card data.
Instead, Target -- among other retailers of late -- was hacked using "sophisticated malware" that was built to exploit security weaknesses in the payment processing chain, Gartner analyst Avivah Litan said in a recent interview.
"Nothing I know of in the PCI standard could have caught this stuff," she said in a January blog post. "So I think it's flat out wrong to blame this all on Target or on any of the other breached entities."
In fact, she said, card issuers -- as well as banks -- should shoulder some of the blame. "The card-issuing banks and the card networks -- Visa, MasterCard, Amex, Discover -- share responsibility for not doing more to prevent the debacles that have predictably occurred over the past nine years, when the big breaches first began."
That includes their failure to pay for EMV chip security for US credit cards -- long after Europe adopted EMV -- or to put in place end-to-end, retailer-to-issuer encryption to protect all card data. Though EMV wouldn't have prevented the Target breach, Litan called out US banks and card brands for failing to spend money on proactive information security measures while transferring more of the risk to the merchants that accept their cards, in part by making them sign contracts stating that retailers, processors, and QSAs can't be held liable if there's a data breach.
Of course, that liability arrangement used to work both ways. "When PCI first came out, Visa and MasterCard used to give merchants 'safe harbor' from penalties in the case of breaches when the breached merchant was PCI compliant. But they eliminated that safe harbor right after the first big breach," Litan said. "When I asked Visa to explain, they told me, 'The merchant must not have really been PCI compliant if they got breached. And perhaps they didn't give their assessor all the information they needed to properly audit their systems.'"
But that circular reasoning raises this question: If that's how Visa views PCI compliance, and if card brands and banks have failed to invest sufficient resources to strengthen the payment card system, should Target or Trustwave be held liable?