Merrick Bank vs. Savvis Could Affect "Liability Dynamic"
contributed by SANS NewsBites Vol. 11 Num 44

The lawsuit brought by Merrick Bank against Savvis raised important
issues about compliance and liability. Merrick, a merchant bank, is
suing Savvis because Savvis's certification of CardSystems as compliant
with Visa CISP (a compliance standard that predates the Payment Card
Industry Data Security Standard, or PCI-DSS) was faulty, causing Merrick
to lose US $16 million after CardSystems suffered a data security
breach. Merrick is alleging negligence and negligent misrepresentation.
The case could "force increased scrutiny [of] largely self-regulated
credit-card security practices," and raises the specter of
government-imposed regulation. One article also points out that to
generate an accurate report, auditors rely on honesty and cooperation
from the people at the entity being audited.

read more