Target, PCI Auditor Trustwave Sued By Banks

  /     /     /  
Publicated : 22/11/2024   Category : security


Target, PCI Auditor Trustwave Sued By Banks


Trustwave apparently certified the retailer as PCI compliant -- but can PCI assessors be held liable for data breaches?



9 Notorious Hackers Of 2013 (Click image for larger view and for slideshow.)
The security firm Trustwave and the discount retailer Target have both been named in a lawsuit filed this week by Trustmark National Bank and Green Bank.
The banks are seeking class-action status for the lawsuit, as well as $5 million in damages to cover the cost of cancelling and reissuing some of their MasterCard-branded cards, which were among the 40 million credit and debit cards stolen from Target. The damages would also cover the absorption of fraudulent charges made on the compromised payment cards, business destruction, lost profits, and/or lost business opportunities, according to the
complaint
.
The complaint also accused Target of failing to safeguard and protect PII [personally identifying information] and sensitive payment card information, in part by not being compliant with Payment Card Industry Data Security Standards (PCI DSS). Because Target and Trustwave failed their duties to 110 million customers, it falls to the banks and the other [class-action] members to protect those customers by reissuing their credit and debit cards, and communicating with those customers to prevent fraud and repay any fraudulently made purchase.
[How can businesses stay ahead of black market bad guys? Read
Cybercrime Black Markets Grow Up
.]
As American Banker
first reported
, the lawsuit revealed for the first time that Trustwave, referenced in the complaint the as having deep expertise in PCI compliance, apparently served as Targets PCI-approved Qualified Security Assessor (QSA) while monitoring its networks for signs of intrusion. Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Targets systems and compromises of PII or other sensitive data, the complaint reads.
But the complaint accused Trustwave of failing to provide the level of security that it promised -- and failing to meet industry standards, since the data breach continued for nearly three weeks on Trustwaves watch before it was detected by third parties and reported to Target.
Abby Ross, a Trustwave spokeswoman, told us via email: Our companys policy is not to confirm that any party is a customer, not to comment on specific customers, and not to comment on pending legal matters. Likewise, Target spokeswoman Molly Snyder said via email that it typically doesnt comment on pending litigation.
Will the lawsuit, which accuses Target and Trustwave of collectively failing to prevent the largest retail data breach in US history, pass muster -- or even spark PCI DSS changes?
A spokesman for the PCI Security Council, which administers the PCI DSS, didnt immediately respond to an emailed request for comment about the lawsuit and the apparent attempt to hold a PCI auditor liable for its security assessment.
Its important to note that many of the allegations contained in the report are based on press reports and suggestions -- but no solid evidence -- that Target failed to comply with PCI DSS. USA Today, among other sources… reported Target was likely not PCI DSS compliant because the attack, involving an enormous amount of data, went on essentially unnoticed for 18 days, the lawsuit reads.
In fact, Target previously confirmed that it was
certified as being PCI compliant
not long before the November 2013 data breach began.
The lawsuit also quoted this publication: according to Infonationweek.com [sic], the Target data breach should never have happened. This refers to an
analysis by Forrester analyst John Kindervag
, who said that the theft of CVV codes shows they were being stored, which would have violated PCI DSS. This is a breach that shouldve never happened.
But Kindervags analysis dates from Dec. 19, the day that Target first publicly confirmed the breach. Since then, digital forensic investigators have discovered that the
memory-scraping malware employed by attackers
intercepted card data from point-of-sale system memory in the moment after the card was swiped but before it could be encrypted and stored. Thus, for the purposes of this breach, its irrelevant whether Target was storing CVV codes or not, because thats not how attackers stole the credit card data.
Instead, Target -- among other retailers of late -- was
hacked using sophisticated malware
that was built to exploit security weaknesses in the payment processing chain, Gartner analyst Avivah Litan said in a recent interview.
Nothing I know of in the PCI standard could have caught this stuff, she said in a January
blog post
. So I think its flat out wrong to blame this all on Target or on any of the other breached entities.
In fact, she said, card issuers -- as well as banks -- should shoulder some of the blame. The card-issuing banks and the card networks -- Visa, MasterCard, Amex, Discover -- share responsibility for not doing more to prevent the debacles that have predictably occurred over the past nine years, when the big breaches first began.
That includes their failure to pay for EMV chip security for US credit cards -- long after Europe adopted EMV -- or to put in place end-to-end, retailer-to-issuer encryption to protect all card data. Though
EMV wouldnt have prevented the Target breach
, Litan called out US banks and card brands for failing to spend money on proactive information security measures while transferring more of the risk to the merchants that accept their cards, in part by making them sign contracts stating that retailers, processors, and QSAs cant be held liable if theres a data breach.
Of course, that liability arrangement used to work both ways. When PCI first came out, Visa and MasterCard used to give merchants safe harbor from penalties in the case of breaches when the breached merchant was PCI compliant. But they eliminated that safe harbor right after the first big breach, Litan said. When I asked Visa to explain, they told me, The merchant must not have really been PCI compliant if they got breached. And perhaps they didnt give their assessor all the information they needed to properly audit their systems.
But that circular reasoning raises this question: If thats how Visa views PCI compliance, and if card brands and banks have failed to invest sufficient resources to strengthen the payment card system, should Target or Trustwave be held liable?
Vulnerability scanning and patch management are key to enterprise security, but fears from the business side about downtime and broken apps often get in the way of IT pros efforts in these areas. In this Dark Reading report, we recommend a vulnerability scanning and patch management framework that accommodates all stakeholders while raising security standards. Read our
Analyzing Vulnerabilities In Business-Critical Applications
report today (free registration required).

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Target, PCI Auditor Trustwave Sued By Banks