Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive
150x172_CUEffect.jpg
Contacts
LISA MCCUEVICE PRESIDENT OF COMMUNICATIONS
EDITOR-IN-CHIEF
MICHELLE WILLITSManaging Editor
RON JOOSSASSISTANT EDITOR
ALEX MCVEIGHSTAFF NEWSWRITER
TOM SAKASHSTAFF NEWSWRITER

News Now

CU System
Data breach suit targets CardSystems auditor
NEW YORK (6/3/09)--In what may be a first in the field of data-breach litigation, a bank has sued the security auditor of CardSystems Solutions for liability in the 2004 data breach of the now-defunct card payment processor. Merrick Bank, based in Utah, sued the processor's security auditor, Savvis Inc., which had just given CardSystems Solutions an all-secure clearance three months before the hacking was discovered, according to Wired.com (June 2). The hacking compromised thousands of credit and debit cards, including those of credit union members. Hundreds of credit unions ended up closing accounts and reissuing cards and some saw losses due to fraudulent activity on the compromised accounts. The case will test the card industry's primary security standard, which was known in 2004 as Cardholder Information Security Program (CISP). CISP was the predecessor of today's current card industry standard, the Payment Card Industry Data Security Standard (PCI DSS). It will also test the liability of security auditing firms that deem companies as compliant with the standards. Merrick Bank, in its suit filed last year in Missouri, alleges that Savvis was negligent in certifying that CardSystems was complaint with industry standards. The compliance certification issue came to the forefront after Heartland Payment Systems and RBS WorldPay experienced large breaches even thought they had been certified as compliant with PCI standards. Another breached company, Hannaford Bros.,was certified in February 2008--while its customers' data were compromised in an ongoing breach process. The case moved to an Arizona court five months ago but only recently was assigned a judge, which means the case can move forward, said Wired.com. Arizona has a law that allows an entity that isn't a direct party to a contract to seek recovery if it is an "intended beneficiary" of the contract. In this case, even though Merrick didn't contract directly with Savvis to certify CardSystems, it relied on that certification being trustworthy, said the publication.


RSS





print
News Now LiveWire
Construction spending drops in January, according to @CommerceGov http://t.co/W9J1mDyF8X #Market #NewsNow
12 hours ago
During Nat'l Consumer Protection Week, @TheNCUA reminds #CU members of agency resources re: rights as consumers. http://t.co/aYgW1HoDmF
13 hours ago
.@TransUnion: #millennials climbing into driver's seat with loans http://t.co/S4H9OIB3Av
14 hours ago
Breaking at #NewsNow: @CUNA backed bill introduced by @RepEdRoyce @GregoryMeeks would raise MBL cap. #CUSmallBiz http://t.co/ZDAb2UMoQz
15 hours ago
Loan growth at federally insured #creditunions in 2014 climbed to highest level since 2005, @TheNCUA reported today. Watch News Now Tues.
16 hours ago