Menu
Security Services
Vulnerability Assessments
Penetration Testing
Web Application Assessment
Secure Code Review
Web Application Security
Network Security
SPIguard Certification
Training
Resources
Client Resources
PCI Merchant Levels
PCI Validation Procedures for Merchants
PCI Service Provider Levels
PCI Validation Procedures for Service Providers
Blog
About
Contact SPIguard
Careers@SPIguard
CNWylie Group of Companies
Code of Conduct
Privacy Policy

Should a QSA and the Merchant be held liable for security breaches! LOL Seriously!

July 07, 2015

The below is an exerpt from the article written by Mathew Schwartz on the Target breach and subsequent lawsuit against the merchant and their QSA!!
Of course, that liability arrangement used to work both ways. "When PCI first came out, Visa and MasterCard used to give merchants 'safe harbor' from penalties in the case of breaches when the breached merchant was PCI compliant. But they eliminated that safe harbor right after the first big breach," Litan said. "When I asked Visa to explain, they told me, 'The merchant must not have really been PCI compliant if they got breached. And perhaps they didn't give their assessor all the information they needed to properly audit their systems.'"

But that circular reasoning raises this question: If that's how Visa views PCI compliance, and if card brands and banks have failed to invest sufficient resources to strengthen the payment card system, should Target or Trustwave be held liable?

Well...ask yourself this question...why do the Card Brands still use card numbers for their credit cards. Chip card could eliminate the need for outward facing card numbers. So ask yourself why the Financial intitutions took so long in instituting EMV...it is still not fully adopted in the United States and other partS of the world because of its extreme cost implement. Mag stripes on cards are open invitations to criminals.
Because Financial institutions and the Card brands own the card numbers, who is ultimately responsible for protecting their interests...Wouldn't, Shouldn't it really be the Card Brands/Banks themselves who are responsible for their own card numbers and any fraud loss.

Ask yourself...if you as a Card brand created a security requirement program like PCI and PA-DSS and didn't enforce it across all merchants and service providers so that every employee is educated and trained to basic security and social engineering as it pertains to their departments...If you didn't as the owner of the card numbers follow through on your own program protection enforecement...wouldn't it be logical that the owner of the card numbers be responsible and the buck stop with the actual owners of the card numbers?

In my opinion the buck stops with the Financial Institutions and the Card Brands themselves. We don't need card numbers to conduct financial transactions now...We haven't for a long time!

So why do card numbers still exist on credit cards when they can be so easily stolen and create such lucrative revenue streams for criminals....hmmmmmmmm!!

  • Request a quote

    SPIguard offers very competitive pricing for all its services. Call or email us to have one of our team members contact you with a quote.

  • Contact

    Suite 200 – 100 Park Royal South,
    West Vancouver, BC, V7T 1A2
    (604) 684-5671
    1-800-811-7811
    (604) 684-5676

    Contact Form