In a move that everyone seems to think is paramount, but in actuality was truly inevitable, a QSAC is being sued over delivering a compliant ROC to an entity that was compromised.
The only surprising part is that its Cardsystems. Right... the one you kept hearing about over and over, about 5 years ago. The Cardsystems board was forced to sell thecompany to PayByTouch Processing as a result of Visa taking the company off of VisaNet post-breach. I know this case all too well. I'm the one who did the follow up assessments post acquisition.
From the wired article:
"Visa executive told an audience earlier this month that the companies were not compliant, though auditors certified they were. “No compromised entity has yet been found to be in compliance with [the standards] at the time of the breach,” she said."
I love how Visa and the SSC keep sticking to their guns on this one even though everyone knows its a bag of BS. I even call it a bag of BS on the interview I did with exotic liability. Why is it BS? Because anyone canwalk into any merchant or service provider, compliant or not, and find 1000 little nuances that probably don't matter and use them interpretively to MAKE the merchant not compliant.
The bottom line here is that Cardsystems is going to drop this case. Why? Because they don't have one!
First of all, QSACs and QSAs have NO legal or contractual obligation to provide an accurate report. They have a moral responsibility to do the right thing. Big whoop. Secondly, I know for a fact that none of the people who were working at Savvis and were on this project are still there, and good luck rounding them all up. Thirdly - Cardsystems as a corporation is nothing more than a shell at this point. I'm guessing that the judge will see right through this feeble attempt at a cash grab for what it is... completely lame corporate behavior with no merit.
On top of all that - why would you wait 5 years to suddenly decide that you need to lay blame for your own crappy security infrastucture work on an auditing firm who's job it was to evaluate it for a 3rd party? Seriously, get a mirror. I've seen your network. Even in its repaired, remediated state, its not all that much to write home about.
Cardsystems - This suit is a joke. You're not going to win. Try to fade out of the media limelight slowly so that noone notices how lame you are. By the way - nice job laying off all the people who fixed your security problems as soon as the heat was off (Hi Kurt, Hi Joe). That was a really classy move.
Savvis - Bummer fellas. I guess the good news is that your company is bigger than theirs, so you'll win the standoff if that's what it comes down to.
