Merrick Bank v. Savvis: Analysis of the Merrick Bank Complaint

[security curmudgeon <jericho () attrition org>]

http://infoseccompliance.com/2009/06/03/merrick-bank-v-savvis-analysis-of-the-merrick-bank-complaint/

Merrick Bank v. Savvis: Analysis of the Merrick Bank Complaint
Posted on June 3rd, 2009 by David Navetta

The Merrick Bank v. Savvis lawsuit has the potential to change the 
liabilty dynamic of the PCI regulatory system.  The Savvis case is one of 
the first known instances of a payment card security assessor being sued 
by a merchant bank ( the merchant bank is a third party relative to the 
Savvis-CardSystems relationship).    The Merrick Bank compliant alleges 
that it relied on Savvis certification of CardSystems  as Visa CISP 
compliant (this matter pre-dated the PCI standard), and that certification 
was false.  After CardSystems suffered a breach exposing up to 40 million 
payment card records, Merrick allegedly incurred $16 million in payments 
to the card brands (which was ultimately transferred to issuing banks who 
suffered losses arising out of the CardSystem breach).

If Savvis is held liable (or even if this case makes it past motion to 
dismiss or a motion for summary judgment) it has the potential to 
significantly modify the relative risk of PCI qualified security 
assessors, and in turn modify the PCI regulatory scheme.  This post 
discusses the two theories of liability alleged by Merrick:  (1) 
negligence; and (2) negligent misrepresentation.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php