Wednesday, 3 June 2009

Bank sues auditor over losses resulting from card data breach

An interesting test case involving a US bank suing an auditor, which it claims was negligent in certifying a payment processing company, is believed to be the first case of its kind and could set a precedent for other cases to follow.

Merchant acquiring bank, Merrick Bank, based in Utah is suing auditor, Savvis Inc., claiming that it lost $16 million as a result of fraud, fines and other costs related to a 2004 data breach at payments processing provider, CardSystems, which resulted in hackers stealing 263,000 card numbers.

Merrick says its losses stemmed from having to pay Visa and MasterCard to reimburse their issuers from the breach-related fraud, as well as other costs including legal fees. Prior to the data breach, Savvis, had carried out an audit of CardSystems. Merchant Bank now claims that report was "false and misleading" and that Savvis "failed to use reasonable care and competence in representing that CardSystems was CISP-compliant when it fact it was not.”

The Cardholder Information Security Program (CISP) preceded the PCI-DSS standard for securely storing card data. One of the basic requirements of card data security is that the data should be encrypted.

No comments: