Critics say company that assessed Target has been sloppy in past.
Trustwave Holdings gave Target Corp. the green light on payment card security last September, just weeks before malware installed on the retailer’s networks began sucking up customer information in a mega data heist.
It’s a rough position for a company that built its brand reputation selling payment compliance and security to some of the country’s largest corporations.
But it’s not the first time Trustwave’s been there.
The Chicago-based company has given a clean review to at least six other companies in recent years that subsequently suffered breaches, one of which rivals Target’s in size. They include some of the nation’s largest payment processors, such as Heartland Payments Systems, which suffered a monster breach in 2008 about two months after Trustwave deemed it compliant with payment card industry (PCI) security standards.
A giant in the small world of PCI compliance, Trustwave has performed thousands of audits for retailers and payment processors, most of which haven’t preceded any known problems.
But critics, including one former Trustwave employee, see a pattern. Some say the incidents illustrate the payment industry’s flawed system for policing the safety of consumer information.
“Trustwave is the largest player in a PCI auditing or assessment system that is rife with conflicts of interest and hence produces less-than-optimal results,” said Avivah Litan, a financial services security analyst at Connecticut-based Gartner Research.
Litan pointed to Trustwave’s record of assessments at companies that have been breached, as well as arrangements with top payment processors who use Trustwave as a preferred vendor to provide security services for merchants. Its relationship with Chase Paymentech is so close, for instance, that it offers merchants Trustwave’s risk assessments for free.
Trustwave declined to comment for this article. So did Target.
Privately held Trustwave, with more than 600 employees, is a central and global player in PCI compliance, an assessor with deep roots in the payment industry’s body of checks and rules for protecting credit and debit card information in the United States. The standards are set by the PCI Security Standards Council, an industry group in Wakefield, Mass., created and run by the world’s five major card brands — Visa, Discover, MasterCard, American Express and JCB (Japan) — nearly eight years ago. Enforcement lies with the individual card networks.
Today’s Trustwave grew out of a 2005 merger between Chicago information security company Ambiron and Annapolis, Md.-based Trustwave. It continued on a path of rapid growth, acquiring a slew of data loss prevention companies — at least 10 since 2008. In the spring of 2011, when filing to go public, Trustwave reported annual revenue of $111 million. It shelved the IPO that summer when markets seesawed.
Although it’s a dominant player in PCI compliance, it provides a range of other services, such as threat assessments and managing security services for companies that want to outsource it. Its five security operation centers around the globe include one in Eden Prairie, acquired when Trustwave bought SecureConnect, which manages information security for hospitality companies including chains such as Dairy Queen and Culver’s.
The company website is full of case studies showcasing a range of satisfied customers.
Minneapolis-based Target Corp. started working with Trustwave several years ago. A former Target information technology employee said that Trustwave essentially taught Target how to be PCI-compliant and that it mostly interacted with the Target Information Protection team, called TIP.
“The TIP team had a high level of confidence in Trustwave,” the person said.
Target has already said in government filings that it expects to be found noncompliant, despite being found compliant at the end of September, because companies that suffer data security breaches are almost always found to be out of compliance with PCI standards.
Just how many companies suffered a breach shortly after a Trustwave assessment of compliance can’t be determined because the lists of merchants and the vendors who do their annual compliance checkups are closely guarded secrets held by Visa and MasterCard.
What is available on the Internet is Visa’s separate list of the companies that store or process payment data for merchants and the vendors who do their compliance checkups. A cross-check of the 2011-2013 lists with a database of breaches maintained by the Open Security Foundation indicates a few were breached not long after a Trustwave compliance assessment.