Risk // Compliance
3/26/2014
01:51 PM
Connect Directly
RSS
E-Mail
50%
50%

Target, PCI Auditor Trustwave Sued By Banks

Trustwave apparently certified the retailer as PCI compliant -- but can PCI assessors be held liable for data breaches?

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

The security firm Trustwave and the discount retailer Target have both been named in a lawsuit filed this week by Trustmark National Bank and Green Bank.

The banks are seeking class-action status for the lawsuit, as well as $5 million in damages to cover the cost of cancelling and reissuing some of their MasterCard-branded cards, which were among the 40 million credit and debit cards stolen from Target. The damages would also cover the "absorption of fraudulent charges made on the compromised payment cards, business destruction, lost profits, and/or lost business opportunities," according to the complaint.

The complaint also accused Target of failing to "safeguard and protect PII [personally identifying information] and sensitive payment card information," in part by not being compliant with Payment Card Industry Data Security Standards (PCI DSS). "Because Target and Trustwave failed their duties to 110 million customers, it falls to the banks and the other [class-action] members to protect those customers by reissuing their credit and debit cards, and communicating with those customers to prevent fraud and repay any fraudulently made purchase."

[How can businesses stay ahead of black market bad guys? Read Cybercrime Black Markets Grow Up.]

As American Banker first reported, the lawsuit revealed for the first time that Trustwave, referenced in the complaint the as having "deep expertise in PCI compliance," apparently served as Target's PCI-approved Qualified Security Assessor (QSA) while monitoring its networks for signs of intrusion. "Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target's systems and compromises of PII or other sensitive data," the complaint reads.

But the complaint accused Trustwave of failing to provide the level of security that it promised -- and failing to meet industry standards, since the data breach continued for nearly three weeks on Trustwave's watch before it was detected by third parties and reported to Target.

Abby Ross, a Trustwave spokeswoman, told us via email: "Our company's policy is not to confirm that any party is a customer, not to comment on specific customers, and not to comment on pending legal matters." Likewise, Target spokeswoman Molly Snyder said via email that it typically doesn't comment on pending litigation.

Will the lawsuit, which accuses Target and Trustwave of collectively failing to prevent the largest retail data breach in US history, pass muster -- or even spark PCI DSS changes?

A spokesman for the PCI Security Council, which administers the PCI DSS, didn't immediately respond to an emailed request for comment about the lawsuit and the apparent attempt to hold a PCI auditor liable for its security assessment.

It's important to note that many of the allegations contained in the report are based on press reports and suggestions -- but no solid evidence -- that Target failed to comply with PCI DSS. "USA Today, among other sources… reported Target was likely not PCI DSS compliant because 'the attack, involving an enormous amount of data, went on essentially unnoticed for 18 days,'" the lawsuit reads.

In fact, Target previously confirmed that it was certified as being PCI compliant not long before the November 2013 data breach began.

The lawsuit also quoted this publication: "according to Infonationweek.com [sic], the Target data breach should never have happened." This refers to an analysis by Forrester analyst John Kindervag, who said that the theft of CVV codes "shows they were being stored," which would have violated PCI DSS. "This is a breach that should've never happened."

But Kindervag's analysis dates from Dec. 19, the day that Target first publicly confirmed the breach. Since then, digital forensic investigators have discovered that the memory-scraping malware employed by attackers intercepted card data from point-of-sale system memory in the moment after the card was swiped but before it could be encrypted and stored. Thus, for the purposes of this breach, it's irrelevant whether Target was storing CVV codes or not, because that's not how attackers stole the credit card data.

Instead, Target -- among other retailers of late -- was hacked using "sophisticated malware" that was built to exploit security weaknesses in the payment processing chain, Gartner analyst Avivah Litan said in a recent interview.

"Nothing I know of in the PCI standard could have caught this stuff," she said in a January blog post. "So I think it's flat out wrong to blame this all on Target or on any of the other breached entities."

In fact, she said, card issuers -- as well as banks -- should shoulder some of the blame. "The card-issuing banks and the card networks -- Visa, MasterCard, Amex, Discover -- share responsibility for not doing more to prevent the debacles that have predictably occurred over the past nine years, when the big breaches first began."

That includes their failure to pay for EMV chip security for US credit cards -- long after Europe adopted EMV -- or to put in place end-to-end, retailer-to-issuer encryption to protect all card data. Though EMV wouldn't have prevented the Target breach, Litan called out US banks and card brands for failing to spend money on proactive information security measures while transferring more of the risk to the merchants that accept their cards, in part by making them sign contracts stating that retailers, processors, and QSAs can't be held liable if there's a data breach.

Of course, that liability arrangement used to work both ways. "When PCI first came out, Visa and MasterCard used to give merchants 'safe harbor' from penalties in the case of breaches when the breached merchant was PCI compliant. But they eliminated that safe harbor right after the first big breach," Litan said. "When I asked Visa to explain, they told me, 'The merchant must not have really been PCI compliant if they got breached. And perhaps they didn't give their assessor all the information they needed to properly audit their systems.'"

But that circular reasoning raises this question: If that's how Visa views PCI compliance, and if card brands and banks have failed to invest sufficient resources to strengthen the payment card system, should Target or Trustwave be held liable?

Vulnerability scanning and patch management are key to enterprise security, but fears from the business side about downtime and broken apps often get in the way of IT pros' efforts in these areas. In this Dark Reading report, we recommend a vulnerability scanning and patch management framework that accommodates all stakeholders while raising security standards. Read our Analyzing Vulnerabilities In Business-Critical Applications report today (free registration required).

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jlindema
50%
50%
jlindema,
User Rank: Apprentice
3/28/2014 | 6:55:29 PM
card brands and banks have failed to invest sufficient resources...
Bingo!
I have no sympathy for card-issuing banks.
I believe banks should bear the costs of advancing card technology, NOT the merchants.

Skimming fraud could be all but eliminated, if the issuing banks were to embrace technology that's existed for several (over 7) years. Just one of the technologies that could be used are 'dynamically' created or changing card numbers that are only valid for one time and by one merchant. This is the only solution that I know of that works for BOTH card-not-present and card-present transactions. Chip and PIN is a great step forward, but ONLY addresses the problem when the card is present.

One perceived roadblock to a wider acceptance of "one time use" credit card technology is that merchant Point-of-Sale (POS) systems would need to change significantly, and therefore it's "too costly". This is not entirely true.

Check out a company named Dynamics Inc. based in Pennsylvania that has a product that can encode [one-time-use card] numbers onto the magnetic stripe(s) on the back of the card. This enables standard, existing POS card readers to work seamlessly with the newer technology.
A card number that is only good for one transaction at a time, cannot be [re-]sold by criminals.

Again- whether or not card data is stored at (or scrapped from) the POS terminal is irrelevant, if the data itself (the card number) changes with every transaction.

See Dynamics Inc.'s webpage (/Corporate/Products) and their "Dynamics Inc. - Enabling Payments 2.0®" Dynamic Credit Card via archive.org [http://www.dynamicsinc.com/Corporate/products_dynamic_cc.php]
Here: http://bit.ly/19fbXKb
(last archived by archive.org on Oct. 1st, 2013).

Target, Neiman Marcus, Michael's, Aaron Brothers, every merchant, and every consumer that has ever suffered financial, personal-data, or identity theft losses due to the inherent security flaws in (U.S.) credit card transactions, should hold the Payment Card Industry (including issuing banks) primarily responsible.
marter25
50%
50%
marter25,
User Rank: Apprentice
3/28/2014 | 2:13:44 PM
Re: Compliant vs. non-compliant is how hard you look
However, this is not Trustwave's first rodeo. A few years back a payment processor got breached and Trustwave was their QSA as well.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/27/2014 | 6:36:43 PM
PCI Security Council Weighs In
I just heard back from Bob Russo, general manager of the PCI Security Standards Council, about the organization's POV on the lawsuit filed against Trustwave and Target. Here's what he says: 

As the Council does not conduct PCI compliance assessments, we cannot speculate on any specific assessment or any related lawsuits or ongoing investigations. The Council reminds organizations that a compliance assessment is just a snapshot in time and that passing a PCI compliance assessment at one point in time does not guarantee the ongoing security of your business or data. PCI Standards are a strong security baseline to help businesses prevent, defend and detect attacks on their systems with a layered approach. But just like a lock is no good if you forget to lock it, these controls are only effective if they are implemented properly and as a part of an everyday, ongoing business process.

Ed Moyle
100%
0%
Ed Moyle,
User Rank: Apprentice
3/27/2014 | 4:45:11 PM
Compliant vs. non-compliant is how hard you look
Back in the day when I was a QSA, I would tell folks that the difference between a compliant environment and a non-compliant one was in how hard you look.  

What I mean by that is that any large cardholder data environment is going to have some areas of non-compliance somewhere.  For example, consider a retail chain with 4000 locations.  Assuming that every location is going to be compliant with 100% of the standard is a recipe for problems.  To assess where the problems are, it's not workable economically (for either the retailer or the assessor) to do an assessment of every retail location, so you have to pick and choose what's in scope of the assessment vs. what isn't.  You're always picking and choosing: what machines you look at, what accounts you review, what stores you visit, etc.    

Two factors influence how realistic the assessment is: (1) how skilled the assessor is and (2) how much the retailer lies to you about what's really going on (because this happens more than you'd think).  For a #1 problem, holding the assessor's feet to the fire makes sense to me, but for #2 it seems like the assessor's not really the issue.  
Zimdog
50%
50%
Zimdog,
User Rank: Apprentice
3/27/2014 | 12:09:21 PM
Re: Should PCI auditors be prohibited from selling security services?
It's rediculous to allow an assessor to provide remediation or other services to a client they've assessed.  It's a complete conflict of interest.
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
3/27/2014 | 10:29:46 AM
Re: Compliance Does Not Mean Hack-Proof
If the card brands really belive in PCI, I'd love to see them put some money on the line with an offer like this: if you are certified PCI-compliant and then get breached, the card brands will assume a share of the liability.

There's nothing fundamentally wrong with the PCI standards. The problem is that since PCI first came out, the PCI organization and the card brands have insisted that no compliant organization has ever been breached--in essence, saying that PCI compliance is equivalent to being breach-proof. Clearly that's nonsense: compliance does not equal perfect security, and it's a mistake to conflate those ideas.

The card brands get to set the rules for retailers via PCI, but there are no penalties for the card brands if those rules fail. It's the perfect catch-22: if you are certified compliant, and then subsequently breached, you must not have been truly compliant, because compliant companies don't get breached. Crazy.
macker490
50%
50%
macker490,
User Rank: Ninja
3/27/2014 | 9:36:47 AM
two rules of security
there are two rules to computer security:

1. the host o/s must not allow itself to be modified by the actions of a running application program.

2. the customer is responsible for the activities of the application programs running on its systems

 

i.e. oem is responsible for building secure operating software. customer is responsible for using software properly.   same as we do for cars and many other products for which we have established product liability.

it's time for product liability in software.

don't laugh at rule 1: the means for doing that have been built into x86 since 80386 when protected mode was added to the x86.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/27/2014 | 7:51:24 AM
Re: Compliance Does Not Mean Hack-Proof
That's a fantastic idea. Hold card brands accountable for the security of the payment card infrastructure, as well as all related processing. And imagine if Visa had to prove that its payment processing black boxes and back-end infrastructure were PCI-compliant? That would be a poetic turn of events.
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/27/2014 | 7:42:07 AM
Re: Compliance Does Not Mean Hack-Proof
Fallout from the Target breach already is speeding up the adoption of chip & pin (via Target), so maybe this legal case will spur debate and possible change with some of these PCI enforcement holes noted by Gartner's Litan.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/27/2014 | 7:12:18 AM
Should PCI auditors be prohibited from selling security services?
Interesting follow-on from the news of the lawsuit from Gartner analyst Avivah Litan, who says that while she thinks the PCI standard is good, the PCI enforcement process needs fixing.

Furthermore, she argues, assessors shouldn't be allowed to also sell security services to their clients: "Gartner has long argued that PCI qualified security assessors like Trustwave should not be allowed to sell remediation and ongoing security services as Trustwave did for Target, according to the lawsuit. This has the effect of potentially destroying the integrity and independence of the assessment process," she says in a blog post.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-4514
Published: 2014-10-21
Cross-site scripting (XSS) vulnerability in includes/api_tenpay/inc.tenpay_notify.php in the Alipay plugin 3.6.0 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via vectors related to the getDebugInfo function.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.