Merrick Bank vs. Savvis: Analysis from InfoSecSecurity

Merrick Bank vs. Savvis: Analysis from InfoSecSecurity

Posted by John B. Frank Thursday, June 4, 2009

Editor's Note: InfoSecCompliance LLC (”ISC”) is a law
firm dedicated to providing solutions for privacy and security legal
compliance and risk management and here's an excerpt from a recent post (yesterday) on their blog.

Merrick Bank v. Savvis: Analysis of the Merrick Bank Complaint

Posted on June 3rd, 2009 by David Navetta of InfoSecCompliance.com

The Merrick Bank v. Savvis lawsuit has the potential to change the liability
dynamic of the PCI regulatory system. The Savvis case is one of the
first known instances of a payment card security assessor being sued by
a merchant bank ( the merchant bank is a third party relative to the
Savvis-CardSystems relationship). The Merrick Bank compliant alleges
that it relied on Savvis’ certification of CardSystems as Visa CISP
compliant (this matter pre-dated the PCI standard), and that
certification was false. After CardSystems suffered a breach exposing
up to 40 million payment card records, Merrick allegedly incurred $16
million in payments to the card brands (which was ultimately
transferred to issuing banks who suffered losses arising out of the CardSystem breach).

If Savvis is held liable (or even if this case makes it past motion to dismiss or a motion for summary judgment) it has the potential to significantly modify the relative risk of PCI qualified security assessors, and in turn modify the PCI regulatory scheme. This post discusses the two theories of liability alleged by Merrick: (1) negligence; and (2) negligent misrepresentation.

Please note, while I am an attorney this post does not in any way constitute legal advice or a legal opinion, and should not be relied upon to take any action or be the basis for any inaction. The law related to this case is complex and varies from jurisdiction to jurisdiction, and over time. If you are interested in a full legal analysis of potential security assessor liability in a particular jurisdiction, please contact me directly at djn@davidnavetta.com

One further note, the basic rules and general information in this document was derived from various legal research sources. However, one book in particular provided excellent information on the liability of service providers to third parties. Please check it out, and purchase it: Professional Liability to Third Parties (Jay M. Feinman).

UPDATE: Other bloggers/mags are putting together some nice analysis of this case as well: here, here

Continue Reading at InfoSecCompliance.com

Merrick Bank, Savvis, PCI, Jay M. Feinman

0 comments

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

All Top Banking