Most of the companies either did not return phone calls or declined to comment.
One, Hosting.com, a Denver-based cloud service provider that operates multiple data centers, got its report on compliance from Trustwave in June 2012. That October, cyberthieves hacked a dedicated server housing information for several medical groups, exposing the information of more than 15,000 people, many in Massachusetts.
Several knowledgeable industry veterans interviewed for this report said it’s an open secret in the PCI compliance world that Trustwave assessments are lax. The company pushes for speed, not accuracy, in its compliance reports, they said, selling cheap audits with an eye to selling clients more lucrative security services.
A former Trustwave assessor, who asked not to be named because he continues to work in PCI compliance, said he routinely saw Trustwave compliance audits with errors. He said he was doing about one assessment every week, and described the quality control issues as so severe that he left.
He said he thinks the company’s incentive structure fueled the problem. “The more assessments you could cram into a quarter, the bigger and juicer your bonus was going to be,” he said.
An employee with a base salary of $100,000, for instance, could generate $30,000 to $50,000 more a year by churning out as many assessment reports as possible, he said.
Heartland Payments Systems, one of the country’s largest payment processors, experienced some of those issues firsthand. Starting around June 2008, thieves hauled off nearly 130 million records from the Princeton, N.J.-based company in a cyberheist that remains one of the country’s largest recorded data thefts. Trustwave had given Heartland a clean bill of health the previous April.
The compliance report was full of “glaring errors,” Heartland Chairman and Chief Executive Bob Carr said in an interview, noting as an example that Trustwave assessors had overlooked one of Heartland’s data centers altogether.
“They didn’t even know we had a data center and they were certifying it was compliant. Seriously? Really?” Carr said.
Carr said he didn’t think the PCI assessment could have thwarted the breach even if it were done right.
In July 2008 Trustwave gave a passing grade to Atlanta-based card processor RBS WorldPay (now WorldPay US Inc.). About three months later, RBS was hacked. An international crime gang took just 12 hours to rack up more than 15,000 fraudulent transactions at ATMs around the world, draining away more than $9.4 million.
Doug Sandberg, WorldPay’s general counsel, said Trustwave’s assessment “might have been a little less than stellar … and frankly we didn’t use them again after our situation.”
Hacked companies typically have little to fall back on. Most companies doing PCI assessments have contracts restricting the liability of the assessors in the event something goes wrong, said David Navetta, a partner in Information Law Group’s Denver office who concentrates on data security breaches.
South Carolina taxpayer Amber Strautins sued Trustwave in 2012 in a putative class action after thugs hacked the computer systems of the South Carolina Department of Revenue, exposing the Social Security numbers of about 3.6 million people. The Revenue Department had contracted with Trustwave for security services. A federal judge in Illinois recently dismissed Strautins’ case, saying she didn’t demonstrate that her information had actually been stolen and compromised.
Now Trustwave is being sued alongside Target. On Monday, Trustmark National Bank of Jackson, Miss., and Green Bank of Houston together sued Trustwave and Target in federal court in Chicago. They accuse Trustwave of negligence in failing “to bring Target’s systems up to industry standards.”
The PCI Security Standards Council would not make an executive available to discuss Trustwave. A spokesman said it can’t speculate on the quality of assessments, and doesn’t disclose whether complaints about vendors have been filed or whether vendors have in the past been sanctioned by being put in remediation for improvement. Trustwave is not on the council’s current remediation list.
“From the council’s perspective what these recent incidents indicate is the need for a strong focus for organizations on security payment card data on a daily basis,” said council spokesman Mark Meissner. “Compliance does not equal security.”
“PCI Standards are the floor, not the ceiling.”