Lawsuit against Target and Trustwave gets the security standard all wrong

Trustmark National Bank and Green Bank, N.A. filed a class action lawsuit on March 24 against Target and Trustwave, which is Target’s quality security assessor (QSA), over the recent card data breach. Trustwave is a big security firm, and QSA (Qualified Security Assessor) is one of its main lines of business.

But the lawsuit contains some questionable interpretations of the Payment Card Industry Data Security Standard (PCI DSS).

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1234779,"post_type":"guest","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"A"}']

The lawsuit claims:

“Under PCI DSS, merchants like Target are required to encrypt customer names, payment card numbers, expiration dates, CVV codes (Card Verification Value codes), and PIN numbers (“Track Data”).” 

This is wrong. PCI DSS requires encryption only for sensitive cardholder data stored on hard drives or transmitted over public networks (like the Internet). Data in computer memory and data on local networks can remain unencrypted, which is allowed by PCI DSS, and such an environment would be still PCI compliant.

The lawsuit also states, “The fact that the three-digit CVV security codes were compromised shows they were being stored.” 

This is wrong for the same reason. The fact that CVV codes were compromised does not mean they were being stored. They could be stolen either from memory using RAM scraping techniques or from the local network using network sniffers (there are many other methods, but those two are the most common). And as I said before, PCI DSS does not require encryption of sensitive cardholder data (including CVV) in memory or on a local network. Those are only two short statements from the large lawsuit, but they show that even if the merchant (Target in this case, but it can be anyone else) is PCI compliant, it is not safe from a security breach.

In addition, or maybe even instead of PCI DSS measures, merchants and their payment processors should implement special security technologies such as P2PE (point-to-point encryption), which protects the sensitive cardholder data from the moment it enters the card reader and makes it virtually inaccessible to hackers.

One thing to keep in mind here is that this lawsuit could set a precedent (if Trustwave is found liable), where the PCI security auditor is responsible for card data breaches even when the company they are auditing is fully in compliance with the PCI DSS.

Slava Gomzin is a security and payments technologist at Hewlett-Packard and author of the book Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions, also available on Kindle. He also has a blog on payment security and technology, PayAppSec. In his role at HP,  Slava helps create products that are integrated into modern payment processing ecosystems using the latest security and payments technologies. Prior to joining Hewlett-Packard, he was a security architect, corporate product security officer, R&D and application security manager, and development team leader at Retalix, a Division of NCR Retail. As PCI ISA, he focused on security and PA-DSS, PCI DSS, and PCI P2PE compliance of POS systems, payment applications, and gateways. Before moving into security, Slava worked in R&D on design and implementation of new products including next-generation POS systems and various interfaces to payment gateways and processors. Slava currently holds CISSP, PCIP, ECSP, and Security+ certifications.