Tuesday, April 14, 2009

MUST Read: ”Who is Minding the Legal Risk around PCI?” by David Navetta

Initially this was supposed to go into my next Security Reading review, but as I was reading the paper I was getting more and more excited about it [please don’t tell me I am weird because of it :-)]

A very, very good read by David Navetta  ”Who is Minding the Legal Risk around PCI?”  [PDF]

It’s official, this paper  gets my “Exudes Pure Awesomeness!” of the 1st degree award.


“In the PCI context, plaintiffs can allege negligence by arguing that a merchant handling payment card data has a duty to protect such data, and that the PCI Standard is evidence of what merchants must do to achieve “ordinary care” or “reasonable security.” If the merchant suffers a security breach exposing payment card data, the failure to comply with PCI would arguably amount to a breach of that duty.”

“Since TJX there have been several lawsuits filed against organizations that had been validated PCI-compliant at the time of the breach. It can be expected that plaintiffs  and courts in these suits are going to finely scrutinize every decision, practice, and interpretation around the stated PCI validation. The plaintiffs’ hope will be to discover that these merchants were not actually PCI-compliant despite the validation.


“Actual PCI compliance, however, does not necessarily absolve an organization from liability in the negligence context. In fact, PCI, as an industry standard, should be  viewed as the minimum or floor in terms of what a court will consider “reasonable security.”” and “Security professionals and organizations need to know that when
determining which controls to implement to protect cardholder data, PCI compliance may not be enough in a court of law.” (and, obviously, not enough “in the trenches”)

“However, the Federal appellate court in Sovereign Bank v. B.J. Wholesale Club & Fifth Third Bank, No. 06-3392/3405 (3rd Circuit, July 13, 2008) has allowed an issuing bank’s breach of contract claim to continue against a merchant bank that sponsored a merchant.” (even though issuing bank’s name was not on a contract)

“The Minnesota [PCI DSS-based] law (potentially others if they pass) provides a direct path to liability based in part on whether an entity was PCI-compliant.”

“One of the biggest challenges faced by organizations is resolving ambiguities in the PCI Standard as written and especially s applied to a particular organization or environment. Unfortunately, as PCI becomes a legal standard, the ambiguities arising out of the PCI Standard could increase the risk of legal liability.”

“In other words, being right on your judgment call [e.g. about the compensating control] at the end of the day will not necessarily eliminate legal risk, especially in the face of breach that has already occurred.  The problem is further complicated because there is no definitive way to resolve ambiguities under the PCI system.” (and, no, it is not always the QSA)

My fave part:

“Legally risky PCI practices:

#1 QSA shopping – With hundreds of qualified security assessors of varying sizes, sophistications, and skills, some companies will shop for the cheapest QSA that will validate their compliance in the least expensive and least painful way. […]

#2 Rubber stamping -  Another legally risky practice is “rubber stamping”: essentially failing to analyze actual security and simply treating PCI compliance like a facile  checklist. In short, when QSA shopping occurs, rubber stamping is what can result.

#3 Scoping - The legal risk posed in this instance is obvious: if a breach occurs with respect to part of a cardholder environment that did not have proper PCI controls [since it was deemed ‘out of scope’] in place, this fact will be used against the organization in court.”

“Another key point that could increase the legal risk associated with PCI is the potentially false sense of security that can arise after being validated PCI-compliant. Validation does not necessarily equal compliance with PCI or “reasonable security” under the law.”

“Until much more is learned about how alleged “safe harbors” [something that allows them to claim ‘compliant + breached –> not liable’] work, and until service providers and merchants have a legal  mechanism to actually enforce “safe harbor,” organizations should not assume they are protected.”

“Despite its security-centric origins, PCI compliance is posing increased legal risk. For organizations with a strong risk management ethos the approach to PCI compliance will likely involve a legal perspective and risk analysis.”

Read it now, whether you are a “PCI optimist”, “PCI pessimist” or a “PCI ambivalent-ist” :-) Something for everybody in there!

Dr Anton Chuvakin