We partner with:



PCI Vendor Program for Assessment and Remediation

Four years after a major data breach occurred at CardSystems Solutions, the auditing company that certified the payment processor is being taken to court by the bank that contracted with CardSystems based on its report. Experts say that the lawsuit could set an important precedent for auditor accountability.

Utah-based Merrick Bank sued Savvis Inc. last year for negligence in the process of auditing the security solutions and policies implemented by CardSystems, an action that ended up costing the bank $16 million in fraud-related losses. In June 2004, Savvis certified CardSystems Solutions as being compliant with the Cardholder Information Security Program (CISP), the precursor of today's Payment Card Industry Data Security Standard (PCI DSS). As a result Merrick Bank signed a contract with CardSystems to process credit card transactions for its customers. Merrick Bank alleges that Savvis failed to "competently and professionally assess CardSystems’ compliance," since it was later discovered that the processor was storing credit card data unencrypted for at least five years before the incident and its firewall did not meet the Visa requirements. None of these security lapses were mentioned in the Savvis audit report sent to Visa in order to get certification. Evans Resource Group offers PCI Vendors a Partnership in Middleware Assessment and Remediation with the ONLY PCI Compliant Solution for Middleware developed in conjunction with IBM Why should you care? Many auditors focus on what they know. You may be comfortable with routers and network segmentation. However, enterprise middleware is a complex component of the network. Not only that, the control over the enterprise that can be directed by middleware that is not properly secured is profound. First, with Hannaford Brothers, and now with Heartland, the “trusted internal network” is the new frontier of data theft. Enabling SSL is great for protecting messages on the wire but if administrative access is left exposed, the attackers can disable SSL or skip sniffing traffic entirely and instead just browse the messages passing through the message queues. The answer to this is not redoubling security at the perimeter. The answer is to apply meaningful controls at the messaging layer. An auditor familiar with your messaging technology would seem to be a valuable asset if the goal is to actually assess security and not merely to pass the audit. Hannaford was reportedly the first breach of data in transit. Heartland was the biggest card data breach ever. If the bad guys are only up the H’s, what is in store for firms in the I – Z range? We prefer to think that it’s strict auditing of the messaging layer and not massive name changes to monikers starting with A – G! One of these two alternatives actually could make a difference. The other is about as effective as what we have in place today. Our Program Benefits Include:

  • Competitive advantage of providing an industry recognized PCI Solution


  • Increased Revenue Streams without Costly Acquisition


  • Market Expansion to new Client Base


To learn more contract info@evansresourcegroup.com or call 212.937.8443

Read our Whitepaper: Middleware audits and remediation for PCI Compliance: The new frontier of PCI. An Evans Resource Group Whitepaper for the PCI Vendor, Chief Risk Officer, Chief Security Officer, and Internal Auditor

           Home | Company | Services |  Support | Training | Customers | Partners |  Contact Us
Copyright Evans Resource Group2008. All Rights Reserved. Legal | Privacy | Jobs