Banks Sue PCI Auditor Over Target Breach

In a rare move, two banks are suing a QSA over a data breach involving a retailer it had validated as PCI compliant.

March 27, 2014

CHICAGO – Two banks that suffered financial losses from the recent data breach at Target have sued Trustwave Holdings Inc., the company that validated Target’s compliance with the Payment Card Industry Data Security Standard, Computerworld reports.

The lawsuit alleges Trustwave did not do enough to protect customer payment card data, accusing it of negligence, deceptive practices, negligent misrepresentation and other misdeeds. It seeks class action status.

Trustwave declined comment on the lawsuit.

The lawsuit is a rarity, whereby a PCI security auditor has been sued over a data breach involving one of its clients.

Trustwave is a qualified security assessors (QSAs) and is responsible for conducting security assessments of retailers and others covered by the PCI standard. Trustwave provides a range of security services to help companies achieve PCI compliance status.

Many businesses that suffered major data breaches have claimed they were compromised despite being certified as PCI compliant by a QSA. The PCI Security Standards Council has until now dismissed any claims that the compliance validation process is at fault. It has insisted that if a company was breached, it could not have been compliant at the time of the breach.

The lawsuit alleges that Trustwave failed to identify vulnerabilities in Target's networks that led to the breach. Two months before the breach, Trustwave scanned Target's network and informed the retailer that there were no vulnerabilities present when in fact there were multiple problems.

"Because of these vulnerabilities in Target's security systems -- either undetected or ignored by Trustwave -- hackers were able to take 40 million payment card records, encrypted PINs, and 70 million records containing Target customer information over the course of two weeks," the complaint stated.

Jim Huguelet, a retail security consultant, said blaming a QSA for a customer breach is somewhat disingenuous.

"If a QSA wants to deeply, independently validate the information that is provided to them by brick-and-mortar retailers with large store footprints, the costs to do this will move from the five- and low six-digit range each year to the high-six and low seven-digit range. Retailers will push back hard,” he said.