There may be some alarm in the world of PCI QSA Companies with the news that Trustwave Inc. (arguably the largest QSA company in the world and sponsor of many of the PCI Security Standards Council events) is to be sued by banks in the USA due to alleged negligence in respect of the Target payment card breach.
A number of factors come into play through this action not least of which is the thought that if the bank action is successful will the Target (the company involved in the breach) also seek damages from the auditor contracted to verify their security compliance status.
As PCI Consultants; QSA companies are often viewed by clients as being doom merchants, identifying vulnerabilities that are sometimes costly to defend. Such vulnerabilities are not always given high priority by the (non IT) lead directors and managers of such organisations even where the cost to eliminate the vulnerability may only be down to changing routine business processes and culture.
AS PCI Auditors; QSA companies have to be able to work with clients to enable them to reach the most appropriate level of compliance possible and at the same time defend their audit process and reports if and when a breach occurs. Failure to assess effectively, or being negligent in the assessment process will always raise the risk of subsequent “breach of contract” action. I believe failure to knowingly facilitate or enable client compliance is now likely to lead to QSA companies being subject to compensatory claims from the Brands and the Banks.
Whatever your view, the PCI landscape has changed.