Should a QSA and the Merchant be held liable for security breaches! LOL Seriously!
Jul 27, 2015
The below is an exerpt from the article written by Mathew Schwartz on the Target breach and subsequent lawsuit against the merchant and their QSA!!
Of course, that liability arrangement used to work both ways. "When PCI first came out, Visa and MasterCard used to give merchants 'safe harbor' from penalties in the case of breaches when the breached merchant was PCI compliant. But they eliminated that safe harbor right after the first big breach," Litan said. "When I asked Visa to explain, they told me, 'The merchant must not have really been PCI compliant if they got breached. And perhaps they didn't give their assessor all the information they needed to properly audit their systems.'"
But that circular reasoning raises this question: If that's how Visa views PCI compliance, and if card brands and banks have failed to invest sufficient resources to strengthen the payment card system, should Target or Trustwave be held liable?
Well...ask yourself this question...why do the Card Brands still use card numbers for their credit cards. Chip card could eliminate the need for outward facing card numbers. So ask yourself why the Financial intitutions took so long in instituting EMV...it is still not fully adopted in the United States and other partS of the world because of its extreme cost implement. Mag stripes on cards are open invitations to criminals.
Because Financial institutions and the Card brands own the card numbers, who is ultimately responsible for protecting their interests...Wouldn't, Shouldn't it really be the Card Brands/Banks themselves who are responsible for their own card numbers and any fraud loss.
Ask yourself...if you as a Card brand created a security requirement program like PCI and PA-DSS and didn't enforce it across all merchants and service providers so that every employee is educated and trained to basic security and social engineering as it pertains to their departments...If you didn't as the owner of the card numbers follow through on your own program protection enforecement...wouldn't it be logical that the owner of the card numbers be responsible and the buck stop with the actual owners of the card numbers?
In my opinion the buck stops with the Financial Institutions and the Card Brands themselves. We don't need card numbers to conduct financial transactions now...We haven't for a long time!
So why do card numbers still exist on credit cards when they can be so easily stolen and create such lucrative revenue streams for criminals....hmmmmmmmm!!