funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Clean reviews preceded Target's data breach, and others

From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 31 Mar 2014 17:54:37 -0400
[Oddly, Trustwave denies being an outsource for Target:
https://www.trustwave.com/Trustwave-Announcement/].

http://www.startribune.com/business/252963011.html

Trustwave Holdings gave Target Corp. the green light on payment card
security last September, just weeks before malware installed on the
retailer’s networks began sucking up customer information in a mega
data heist.

It’s a rough position for a company that built its brand reputation
selling payment compliance and security to some of the country’s
largest corporations.

But it’s not the first time Trustwave’s been there.

The Chicago-based company has given a clean review to at least six
other companies in recent years that subsequently suffered breaches,
one of which rivals Target’s in size. They include some of the
nation’s largest payment processors, such as Heartland Payments
Systems, which suffered a monster breach in 2008 about two months
after Trustwave deemed it compliant with payment card industry (PCI)
security standards.

A giant in the small world of PCI compliance, Trustwave has performed
thousands of audits for retailers and payment processors, most of
which haven’t preceded any known problems.

But critics, including one former Trustwave employee, see a pattern.
Some say the incidents illustrate the payment industry’s flawed system
for policing the safety of consumer information.

“Trustwave is the largest player in a PCI auditing or assessment
system that is rife with conflicts of interest and hence produces
less-than-optimal results,” said Avivah Litan, a financial services
security analyst at Connecticut-based Gartner Research.

Litan pointed to Trustwave’s record of assessments at companies that
have been breached, as well as arrangements with top payment
processors who use Trustwave as a preferred vendor to provide security
services for merchants. Its relationship with Chase Paymentech is so
close, for instance, that it offers merchants Trustwave’s risk
assessments for free.

Trustwave declined to comment for this article. So did Target.
...

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: