Da un messaggio della ml firewall-wizards, e quindi da qui:Merrick Bank, in seguito ad un incidente di sicurezza che le sarebbe costato 16M$, avrebbe fatto causa a Savvis per la certificazione CISP (pre-PCI) di un processor, CardSystems. Cito:
The key allegations, which are repeated throughout the complaint, include:
- Merrick would not allow CardSystems to process Card Transactions until it was certified as CISP compliant
- Savvis was specifically retained to certify CardSystems as CISP compliant, and did so pursuant to a Report on Compliance issued to VISA
- Upon learning of the results of Savvis’s Report on Compliance (after CardSystems was listed by Visa as CISP compliant) Merrick allowed CardSystems to serve as its processor
- According to a post-incident forensic analysis, at the time Savvis issued the ROC, CardSystems had been improperly and continuously storing unencrypted cardholder data
- Savvis provided the ROC to VISA for the express purpose and with knowledge that Visa would publish the ROC, and that merchant banks would rely on it to determine whether CardSystems met the CISP standard
- It was reasonably foreseeable to Savvis that merchant banks would rely on its report
- Savvis knew or should have reasonably known that its certification of CardSystems was directly for the benefit and guidance of merchant banks
Il punto particolare è l’ultimo. Infatti, cito ancora:
In this case, Savvis likely had a contract with CardSystems to perform an assessment, but did not have a direct contractual relationship with Merrick.
Ovvero, il certificatore ha delle responsabilità, in caso di negligenza, nei confronti di terzi che si basano per le loro scelte su quella certificazione?Al momento, la cosa ha interesse principalmente per il mercato delle certificazioni PCI, direi. Per questo tipo di mercato, direi che le conseguenze ci potranno essere anche sul mercato italiano, nonostante la causa sia negli USA. Ma naturalmente dipende da come finisce.
