Security Consultants blamed for Cardsystems breach
#154 In their testimony before the United States House of Representatives Committee on Financial Services, Subcommittee on Oversight, CardSystems, which reportedly exposed credit card transaction records of approximately 40 million people because they stored these transaction records in contravention of rules established for VISA and MasterCard processors, found someone who wasn't at the table to blame -- not VISA, not MasterCard, not their sponsoring bank, not themselves and not their customers. They blamed their auditors and security consultants.
And while they were at it, they also reportedly blamed the California mandatory disclosure law, SB 1386, claiming that without the law, the company would have suffered no losses. Well, still the data would have been lost, just nobody would have known about it.
Interesting times indeed...the case points out a serious problem with understanding the nature of auditors, security consultants, and the relationship between these consultants and the underlying client. The consulting contract is supposed to reflect a meeting of the minds between the parties. Invariably however, the parties come to the table with differing expectations about what they are buying and selling. In the case of CardSystems' Security consultants they thought they were auditing discrete parts of the payment processing network for compliance with VISA's standards. CardSystems, on the other hand, apparently thought they were purchasing "hacker insurance" and a guarantee that they would never be subject to attack.
And while they were at it, they also reportedly blamed the California mandatory disclosure law, SB 1386, claiming that without the law, the company would have suffered no losses. Well, still the data would have been lost, just nobody would have known about it.
Interesting times indeed...the case points out a serious problem with understanding the nature of auditors, security consultants, and the relationship between these consultants and the underlying client. The consulting contract is supposed to reflect a meeting of the minds between the parties. Invariably however, the parties come to the table with differing expectations about what they are buying and selling. In the case of CardSystems' Security consultants they thought they were auditing discrete parts of the payment processing network for compliance with VISA's standards. CardSystems, on the other hand, apparently thought they were purchasing "hacker insurance" and a guarantee that they would never be subject to attack.
posted by Dwaine at 8/03/2005
1 Comments:
Excellent response on this Dwaine! Posted a link to your article on my blog here:
http://jim-fran.com/BambisMusings/?p=239
Thanks for leaving a comment on my blog yesterday and linking to your site. I hadn't been to your site previously and found it very imformative! :thumbsup:
Post a Comment
<< Home