The recent news of RBS WorldPay and Heartland in recent news highlights the importance of quality audit efforts by the firms attesting to the security adherence of each organization. Quality is important, and as every QSA is required to accept liability and indemnify the Card Brands prior to delivering any work an entire business can be at risk. Why is this news now 4 years after the event?
CardSystems is still alive and well in courts these days where the Acquirer (Merrick) that had to cover the costs of the fraudulent charges has filed suit against the Auditor (Savvis) for negligence and lack of due care. Now this is under the original Visa CISP, but can naturally create a precedent for current firms conducting these evaluations. Check out the the news story here and the court case details here.
What does this mean for Auditors / QSA firms? Simple:
- Get it right the first time;
- Have proper engagement documents to protect against such cases;
- Maintain good documentation, and again – do it right.
- Go to the professionals – the Accounting Auditors / Internal Auditors ; Institute of Internal Auditors, there are great workpaper guidances and quality methodologies that are 100s of years old and carefully maintained.
This court case highlights the importance of diligent work and careful quality review. Ideally the 2009 Quality Check process will capture deficiences in the process early before breaches happen.
What does this mean for Businesses relying on these audits:
- Carefully consider the points I raised on hiring a QSA
- Check out Siva’s post on vetting a QSA
- You get what you pay for…
- These audits are VALIDATIONS and not exams – it is in everyone’s interest to identify; mitigate; protect and maintain
A nice write up at Wired on this brewing activity by Kim Zetter.
Thoughts on how this will affect the landscape?
James DeLuccia IV