PCI Auditor Being Sued for Certifiying CardSystems as Compliant

Monday, July 13, 2009

Infosec Island Admin


Savvis is being dragged into court to defend their PCI DDS certification of CardSystems in 2004, which was subsequently responsible for losing a quarter of a million credit card numbers.

This is the first of potentially many legal actions against PCI auditors that certified organizations as compliant, when they were subsequently breached and responsible for the loss of consumer credit card information.

Wired Magazine has a full article here

Personally, I think it is about time. I've long believed that the PCI certification process (as it has historically stood) is a farce, and only designed to make Visa and some information security consulting firms money by requiring certification.

Possibly Related Articles:
Accounting Banking Financial Services Information Security Reseller/Integrator Service Provider
Post Rating I Like this!
Alister Macintyre I seem to remember that at the time of that breach, the issue came up about them just having completed a security audit that said they were secure, in the specific areas that they had asked to be security audited, which did not include the areas where they got breached, and were in violation of regulations.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.