funsec mailing list archives
Clean reviews preceded Target's data breach, and others
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 31 Mar 2014 17:54:37 -0400
[Oddly, Trustwave denies being an outsource for Target: https://www.trustwave.com/Trustwave-Announcement/]. http://www.startribune.com/business/252963011.html Trustwave Holdings gave Target Corp. the green light on payment card security last September, just weeks before malware installed on the retailer’s networks began sucking up customer information in a mega data heist. It’s a rough position for a company that built its brand reputation selling payment compliance and security to some of the country’s largest corporations. But it’s not the first time Trustwave’s been there. The Chicago-based company has given a clean review to at least six other companies in recent years that subsequently suffered breaches, one of which rivals Target’s in size. They include some of the nation’s largest payment processors, such as Heartland Payments Systems, which suffered a monster breach in 2008 about two months after Trustwave deemed it compliant with payment card industry (PCI) security standards. A giant in the small world of PCI compliance, Trustwave has performed thousands of audits for retailers and payment processors, most of which haven’t preceded any known problems. But critics, including one former Trustwave employee, see a pattern. Some say the incidents illustrate the payment industry’s flawed system for policing the safety of consumer information. “Trustwave is the largest player in a PCI auditing or assessment system that is rife with conflicts of interest and hence produces less-than-optimal results,” said Avivah Litan, a financial services security analyst at Connecticut-based Gartner Research. Litan pointed to Trustwave’s record of assessments at companies that have been breached, as well as arrangements with top payment processors who use Trustwave as a preferred vendor to provide security services for merchants. Its relationship with Chase Paymentech is so close, for instance, that it offers merchants Trustwave’s risk assessments for free. Trustwave declined to comment for this article. So did Target. ... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Clean reviews preceded Target's data breach, and others Jeffrey Walton (Mar 31)