Society of Payment Security Professionals - Payment Security Blog

Lawsuit over CardSystems breach

This month, Digital Transactions published a story in which it is announced that a major acquirer is now suing a former QSA for the CardSystems breach.  As stated in the document:  ”The suit calls the Savvis inspection report “false and misleading,” and claims Savvis failed to use “reasonable care and competence in representing that CardSystems was CISP-compliant when it fact it was not.”

While not the first lawsuit related to a data breach, this is particularly troubling for a number of reasons.  The bank is accusing the former QSA of making ‘false and misleading’ claims for ‘representing that CSSI was compliant’?  It is difficult to dispute that in some instances, QSAs have made mistakes.  It is also difficult to pin the blame of every compromise on the QSA who conducted the work.

For full disclosure I worked at the former QSA in question and I know the consultant who did the work. The person is highly qualified and does very good work.  For those who are relatively new to the PCI space it should be noted that in 2003 there were no QSAs.  There were Qualified Data Security Professionals and there was NO training required to become a QDSP nor was there a formal approval or registration process before companies could perform CISP work.  I say CISP because this is before the time of the PCI DSS.  During 2003 and 2004, the standard was still owned and managed by Visa US and was known as the CISP standard.  

As stated in a CNN article, n 2005, MasterCard spokesperson Jessica Antle released the following statement related to the breach:  ”It looks like a hacker gained access to CardSystems’ database and installed a script that acts like a virus, searching out certain types of card transaction data,” 

Lets evaluate this particular statement in light of the CISP standard.  Requirement 5 applies to the installation of anti-virus software and applications.  It states that anti-virus 1) must be installed on all systems commonly affected by viruses, 2) must be actively running  3) must be configured for automatic updates and 4) must be capable of logging.

The standard does not require that a QSA (or QDSP in 2005) verify that malicious software is NOT present on the system.  Furthermore, if my memory serves correctly, CSSI was retaining full magnetic stripe data in violation of the card brand rules.  This was confirmed in the same CNN article that said: “CardSystems has admitted it was improperly holding consumer credit card data by keeping a file on credit card transactions that failed to receive authorization.”

It is difficult to envision how the QSA was at fault in this situation.  The report was submitted, and it was accepted by a major card brand.  

Unfortunately what we are beginning to see in the industry is an increase in lawsuits against QSAs using the “Reasonable Man” or “Reasonableness” standard.  While I am certainly not an attorney, I have had a number of discussions with legal eagles on this topic.  (if you are an attorney, please provide any input you may think relevant).  

According to Wikipedia:  The reasonable person is a legal fiction of the common law representing an objective standard against which any individual’s conduct can be measured. It is used to determine if a breach of the standard of care has occurred, provided a duty of care can be proven.

“The reasonable person standard holds: each person owes a duty to behave as a reasonable person would under the same or similar circumstances.[1][2] While the specific circumstances of each case will require varying kinds of conduct and degrees of care, the reasonable person standard undergoes no variation itself.[3][4]This standard performs a crucial role in determining negligence in both criminal law—that is, criminal negligence—and tort law. The standard also has a presence in contract law, though its use there is substantially different.”

In short, it is saying that even if the CISP (PCI DSS) or any other standard says a QSA does not have to do something, as a security  professional, they should, as a reasonable person, conduct themselves in a manner that any reasonable person would.  As can be imagined, this is very troubling.  

This is one of the first lawsuits in our industry applying this legal theory.  It will be interesting to see how it comes out.  We are beginning to see the blurring of the line between ‘compliance’ and ’security’.  

It is anticipated that we will continue to see lawsuits against QSAs when a company is breached.  This is going to continue to increase the costs of compliance for all companies and will continue to pose challenges for the industry.