Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


Target, PCI Auditor Trustwave Sued By Banks

Trustwave apparently certified the retailer as PCI compliant -- but can PCI assessors be held liable for data breaches?

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

The security firm Trustwave and the discount retailer Target have both been named in a lawsuit filed this week by Trustmark National Bank and Green Bank.

The banks are seeking class-action status for the lawsuit, as well as $5 million in damages to cover the cost of cancelling and reissuing some of their MasterCard-branded cards, which were among the 40 million credit and debit cards stolen from Target. The damages would also cover the "absorption of fraudulent charges made on the compromised payment cards, business destruction, lost profits, and/or lost business opportunities," according to the complaint.

The complaint also accused Target of failing to "safeguard and protect PII [personally identifying information] and sensitive payment card information," in part by not being compliant with Payment Card Industry Data Security Standards (PCI DSS). "Because Target and Trustwave failed their duties to 110 million customers, it falls to the banks and the other [class-action] members to protect those customers by reissuing their credit and debit cards, and communicating with those customers to prevent fraud and repay any fraudulently made purchase."

[How can businesses stay ahead of black market bad guys? Read Cybercrime Black Markets Grow Up.]

As American Banker first reported, the lawsuit revealed for the first time that Trustwave, referenced in the complaint the as having "deep expertise in PCI compliance," apparently served as Target's PCI-approved Qualified Security Assessor (QSA) while monitoring its networks for signs of intrusion. "Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target's systems and compromises of PII or other sensitive data," the complaint reads.

But the complaint accused Trustwave of failing to provide the level of security that it promised -- and failing to meet industry standards, since the data breach continued for nearly three weeks on Trustwave's watch before it was detected by third parties and reported to Target.

Abby Ross, a Trustwave spokeswoman, told us via email: "Our company's policy is not to confirm that any party is a customer, not to comment on specific customers, and not to comment on pending legal matters." Likewise, Target spokeswoman Molly Snyder said via email that it typically doesn't comment on pending litigation.

Will the lawsuit, which accuses Target and Trustwave of collectively failing to prevent the largest retail data breach in US history, pass muster -- or even spark PCI DSS changes?

A spokesman for the PCI Security Council, which administers the PCI DSS, didn't immediately respond to an emailed request for comment about the lawsuit and the apparent attempt to hold a PCI auditor liable for its security assessment.

It's important to note that many of the allegations contained in the report are based on press reports and suggestions -- but no solid evidence -- that Target failed to comply with PCI DSS. "USA Today, among other sources… reported Target was likely not PCI DSS compliant because 'the attack, involving an enormous amount of data, went on essentially unnoticed for 18 days,'" the lawsuit reads.

In fact, Target previously confirmed that it was certified as being PCI compliant not long before the November 2013 data breach began.

The lawsuit also quoted this publication: "according to Infonationweek.com [sic], the Target data breach should never have happened." This refers to an analysis by Forrester analyst John Kindervag, who said that the theft of CVV codes "shows they were being stored," which would have violated PCI DSS. "This is a breach that should've never happened."

But Kindervag's analysis dates from Dec. 19, the day that Target first publicly confirmed the breach. Since then, digital forensic investigators have discovered that the memory-scraping malware employed by attackers intercepted card data from point-of-sale system memory in the moment after the card was swiped but before it could be encrypted and stored. Thus, for the purposes of this breach, it's irrelevant whether Target was storing CVV codes or not, because that's not how attackers stole the credit card data.

Instead, Target -- among other retailers of late -- was hacked using "sophisticated malware" that was built to exploit security weaknesses in the payment processing chain, Gartner analyst Avivah Litan said in a recent interview.

"Nothing I know of in the PCI standard could have caught this stuff," she said in a January blog post. "So I think it's flat out wrong to blame this all on Target or on any of the other breached entities."

In fact, she said, card issuers -- as well as banks -- should shoulder some of the blame. "The card-issuing banks and the card networks -- Visa, MasterCard, Amex, Discover -- share responsibility for not doing more to prevent the debacles that have predictably occurred over the past nine years, when the big breaches first began."

That includes their failure to pay for EMV chip security for US credit cards -- long after Europe adopted EMV -- or to put in place end-to-end, retailer-to-issuer encryption to protect all card data. Though EMV wouldn't have prevented the Target breach, Litan called out US banks and card brands for failing to spend money on proactive information security measures while transferring more of the risk to the merchants that accept their cards, in part by making them sign contracts stating that retailers, processors, and QSAs can't be held liable if there's a data breach.

Of course, that liability arrangement used to work both ways. "When PCI first came out, Visa and MasterCard used to give merchants 'safe harbor' from penalties in the case of breaches when the breached merchant was PCI compliant. But they eliminated that safe harbor right after the first big breach," Litan said. "When I asked Visa to explain, they told me, 'The merchant must not have really been PCI compliant if they got breached. And perhaps they didn't give their assessor all the information they needed to properly audit their systems.'"

But that circular reasoning raises this question: If that's how Visa views PCI compliance, and if card brands and banks have failed to invest sufficient resources to strengthen the payment card system, should Target or Trustwave be held liable?

Vulnerability scanning and patch management are key to enterprise security, but fears from the business side about downtime and broken apps often get in the way of IT pros' efforts in these areas. In this Dark Reading report, we recommend a vulnerability scanning and patch management framework that accommodates all stakeholders while raising security standards. Read our Analyzing Vulnerabilities In Business-Critical Applications report today (free registration required).

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
User Rank: Apprentice
4/30/2015 | 12:19:40 PM
Re: Compliance Does Not Mean Hack-Proof
No merchant has EVER been breached that was PCI compliant, just ask the council!  Every breached merchant either the QSA missed something, rendering the compliance invalid, or something changed after they were certified as compliant.  Since PCI is a point in time audit, you are really only compliant for the day your AOC is issued.
User Rank: Apprentice
3/28/2014 | 6:55:29 PM
card brands and banks have failed to invest sufficient resources...
I have no sympathy for card-issuing banks.
I believe banks should bear the costs of advancing card technology, NOT the merchants.

Skimming fraud could be all but eliminated, if the issuing banks were to embrace technology that's existed for several (over 7) years. Just one of the technologies that could be used are 'dynamically' created or changing card numbers that are only valid for one time and by one merchant. This is the only solution that I know of that works for BOTH card-not-present and card-present transactions. Chip and PIN is a great step forward, but ONLY addresses the problem when the card is present.

One perceived roadblock to a wider acceptance of "one time use" credit card technology is that merchant Point-of-Sale (POS) systems would need to change significantly, and therefore it's "too costly". This is not entirely true.

Check out a company named Dynamics Inc. based in Pennsylvania that has a product that can encode [one-time-use card] numbers onto the magnetic stripe(s) on the back of the card. This enables standard, existing POS card readers to work seamlessly with the newer technology.
A card number that is only good for one transaction at a time, cannot be [re-]sold by criminals.

Again- whether or not card data is stored at (or scrapped from) the POS terminal is irrelevant, if the data itself (the card number) changes with every transaction.

See Dynamics Inc.'s webpage (/Corporate/Products) and their "Dynamics Inc. - Enabling Payments 2.0®" Dynamic Credit Card via archive.org [http://www.dynamicsinc.com/Corporate/products_dynamic_cc.php]
Here: http://bit.ly/19fbXKb
(last archived by archive.org on Oct. 1st, 2013).

Target, Neiman Marcus, Michael's, Aaron Brothers, every merchant, and every consumer that has ever suffered financial, personal-data, or identity theft losses due to the inherent security flaws in (U.S.) credit card transactions, should hold the Payment Card Industry (including issuing banks) primarily responsible.
User Rank: Apprentice
3/28/2014 | 2:13:44 PM
Re: Compliant vs. non-compliant is how hard you look
However, this is not Trustwave's first rodeo. A few years back a payment processor got breached and Trustwave was their QSA as well.
User Rank: Apprentice
3/27/2014 | 6:36:43 PM
PCI Security Council Weighs In
I just heard back from Bob Russo, general manager of the PCI Security Standards Council, about the organization's POV on the lawsuit filed against Trustwave and Target. Here's what he says: 

As the Council does not conduct PCI compliance assessments, we cannot speculate on any specific assessment or any related lawsuits or ongoing investigations. The Council reminds organizations that a compliance assessment is just a snapshot in time and that passing a PCI compliance assessment at one point in time does not guarantee the ongoing security of your business or data. PCI Standards are a strong security baseline to help businesses prevent, defend and detect attacks on their systems with a layered approach. But just like a lock is no good if you forget to lock it, these controls are only effective if they are implemented properly and as a part of an everyday, ongoing business process.

Ed Moyle
Ed Moyle,
User Rank: Apprentice
3/27/2014 | 4:45:11 PM
Compliant vs. non-compliant is how hard you look
Back in the day when I was a QSA, I would tell folks that the difference between a compliant environment and a non-compliant one was in how hard you look.  

What I mean by that is that any large cardholder data environment is going to have some areas of non-compliance somewhere.  For example, consider a retail chain with 4000 locations.  Assuming that every location is going to be compliant with 100% of the standard is a recipe for problems.  To assess where the problems are, it's not workable economically (for either the retailer or the assessor) to do an assessment of every retail location, so you have to pick and choose what's in scope of the assessment vs. what isn't.  You're always picking and choosing: what machines you look at, what accounts you review, what stores you visit, etc.    

Two factors influence how realistic the assessment is: (1) how skilled the assessor is and (2) how much the retailer lies to you about what's really going on (because this happens more than you'd think).  For a #1 problem, holding the assessor's feet to the fire makes sense to me, but for #2 it seems like the assessor's not really the issue.  
User Rank: Apprentice
3/27/2014 | 12:09:21 PM
Re: Should PCI auditors be prohibited from selling security services?
It's rediculous to allow an assessor to provide remediation or other services to a client they've assessed.  It's a complete conflict of interest.
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
3/27/2014 | 10:29:46 AM
Re: Compliance Does Not Mean Hack-Proof
If the card brands really belive in PCI, I'd love to see them put some money on the line with an offer like this: if you are certified PCI-compliant and then get breached, the card brands will assume a share of the liability.

There's nothing fundamentally wrong with the PCI standards. The problem is that since PCI first came out, the PCI organization and the card brands have insisted that no compliant organization has ever been breached--in essence, saying that PCI compliance is equivalent to being breach-proof. Clearly that's nonsense: compliance does not equal perfect security, and it's a mistake to conflate those ideas.

The card brands get to set the rules for retailers via PCI, but there are no penalties for the card brands if those rules fail. It's the perfect catch-22: if you are certified compliant, and then subsequently breached, you must not have been truly compliant, because compliant companies don't get breached. Crazy.
User Rank: Ninja
3/27/2014 | 9:36:47 AM
two rules of security
there are two rules to computer security:

1. the host o/s must not allow itself to be modified by the actions of a running application program.

2. the customer is responsible for the activities of the application programs running on its systems


i.e. oem is responsible for building secure operating software. customer is responsible for using software properly.   same as we do for cars and many other products for which we have established product liability.

it's time for product liability in software.

don't laugh at rule 1: the means for doing that have been built into x86 since 80386 when protected mode was added to the x86.
User Rank: Apprentice
3/27/2014 | 7:51:24 AM
Re: Compliance Does Not Mean Hack-Proof
That's a fantastic idea. Hold card brands accountable for the security of the payment card infrastructure, as well as all related processing. And imagine if Visa had to prove that its payment processing black boxes and back-end infrastructure were PCI-compliant? That would be a poetic turn of events.
User Rank: Strategist
3/27/2014 | 7:42:07 AM
Re: Compliance Does Not Mean Hack-Proof
Fallout from the Target breach already is speeding up the adoption of chip & pin (via Target), so maybe this legal case will spur debate and possible change with some of these PCI enforcement holes noted by Gartner's Litan.
Page 1 / 2   >   >>
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
PUBLISHED: 2021-06-23
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.