The subtitle for this post should be, Compliance is not secure! Compliance is not secure! Compliance is not secure! And because no one wants to spend money, we’re all going to suffer for it.

Wired has an article posted on a lawsuit CardSystems has filed against its auditor, Savvis.

In theory, CardSystems should have been safe. The industry’s primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems’ auditor, Savvis Inc, had just given them a clean bill of health three months before.

and

More than four years later, Savvis is being pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices.

They say the case represents an evolution in data breach litigation and raises increasingly important questions about not only the liability of companies that handle card data but also the liability of third parties that audit and certify the trustworthiness of those companies.

The number of ways this is all so fucked up makes my head spin and makes me want to vomit out all the reasons in a babble of words and rants. So much so that it is hard to begin to even plan to be concise!

This lawsuit may result in finally punching the elephant in the room: Compliance is a one-time deal and it fails without continuous internal rigor (i.e. staff/money).

So many experts understand this concept, but so many middle-men and legalists choose to ignore it, probably because their management squeezes on the budgets from top-down. Secure vs profits.

The use of the analogy between digital security and physical law enforcement is over-used, but can still be used in parts. For instance, if you are robbed, can you sue the police department? Is the aim of law enforcement (i.e. security) such that it prevents all crime, or that it simply responds to, detects, and maybe contains the crime?

To take another tact, one can draw parallels between digital security and accounting practices. Why do accounting departments go through audits and make changes? Often you’ll hear, “because we have to.” Someday, if we can’t do this shit ourselves, we’ll “have to” go through transparent digital security audits just like financial audits. And we won’t be able to say no.

And it will both not be pretty nor all that much more effective than what we have now for digital security.

Conflict of Interest
There’s another elephant in this room. Yeah, really, there is. And that is the elephant of conflict of interest. (Maybe the biggest elephant is simply greed and cost-avoidance!).

It could be easy to point a finger at auditors and say they have a conflict of interest in certifying their clients, even if their security sucks. But the real blame may lie with the client who, when handed a failure audit, may immediately go elsewhere. In this way, they’re not buying a real audit so much as they’re demonstrating that they just want to buy a rubber stamp of compliance. This subtle attitude in turn punishes the quality auditors and rewards that crappy ones!

Another possible end result: internal solutions
Prepare while I ramble just a little bit.

Card industry smacks Payment processors.
Payment processor takes shortcuts whenever possible.
Payment processor pays for an audit pass.
Payment processor gets hacked.
Payment processor sues auditor (i.e. passes the blame).
Auditors protect themselves by demanding unfettered 24/7 access otherwise no guarantees.
Payment processor may as well staff internally (so they can pass the blame).
No 24/7 operation can prevent internal employees acting in unexpected ways.
This leads to vicious circle of management (secure it!) vs employees/staff (not possible!).
Eventually we pass the blame to employees.

And all this because no one can guarantee security.
And too much of our legal and business foundation cannot handle lack of blame/guarantee.

The Silver Lining: Natural Selection
One common complaint these days, especially amongst the truly skilled pen testers and auditors, is the number of crappy firms and people doing audits. If we get no other benefit from CardSystems vs Savvis, at least it should scare off the firms that know their products and services are incompetent.
And finally some subtext: smaller is better?
So, can one say that we should be able to trust smaller audit firms more? If you hire a small team of auditors, will they have less conflict of interest and possibly higher standards than a large firm trying to churn through clients for profit? This might just be a personal slant…