Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: [Dataloss] Merrick Bank v. Savvis: Analysis of the Merrick Bank Complaint

From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 3 Jun 2009 20:24:55 -0400
From the folks at Attrition and the DataLossDB.


---------- Forwarded message ----------
From: security curmudgeon <jericho () attrition org>
Date: Jun 3, 2009 7:54 PM
Subject: [Dataloss] Merrick Bank v. Savvis: Analysis of the Merrick
Bank Complaint
To: dataloss-discuss () datalossdb org, dataloss () datalossdb org

 http://infoseccompliance.com/2009/06/03/merrick-bank-v-savvis-analysis-of-the-merrick-bank-complaint/

 Merrick Bank v. Savvis: Analysis of the Merrick Bank Complaint
 Posted on June 3rd, 2009 by David Navetta

 The Merrick Bank v. Savvis lawsuit has the potential to change the
 liabilty dynamic of the PCI regulatory system.  The Savvis case is one of
 the first known instances of a payment card security assessor being sued
 by a merchant bank ( the merchant bank is a third party relative to the
 Savvis-CardSystems relationship).    The Merrick Bank compliant alleges
 that it relied on Savvis certification of CardSystems  as Visa CISP
 compliant (this matter pre-dated the PCI standard), and that certification
 was false.  After CardSystems suffered a breach exposing up to 40 million
 payment card records, Merrick allegedly incurred $16 million in payments
 to the card brands (which was ultimately transferred to issuing banks who
 suffered losses arising out of the CardSystem breach).

 If Savvis is held liable (or even if this case makes it past motion to
 dismiss or a motion for summary judgment) it has the potential to
 significantly modify the relative risk of PCI qualified security
 assessors, and in turn modify the PCI regulatory scheme.  This post
 discusses the two theories of liability alleged by Merrick:  (1)
 negligence; and (2) negligent misrepresentation.

 [..]

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: