Case Study – The dangers of not verifying your cyber compliance

Note: This is a true story of a recent engagement.  A few details were modified slightly to conceal the identity of the client.

We had a call from one of our Channel Resellers asking if we could help him with a unique situation.  A former client of his was a C-level executive who had sold his company about six months prior, and had just received a notice of a lawsuit from the new owners.  The business had been sold as being Payment Card Industry (PCI) compliant, but apparently the new ownership had brought in an auditor who said it was not compliant.

We agreed to help, and set up a consulting retainer with our Lead PCI Qualified Security Assessor (QSA).  During the initial call, we interviewed the former business owner to get some background, understand what (if any) documentation he had, and to see a copy of the legal documents he had received.  We learned during this call:

• Despite the fact that the business was largely based on website orders and credit card payments, the former owners had never had their PCI compliance verified by an outside party.
• The internal IT Director who had prepared the company’s PCI Self-Assessment Questionnaires (SAQ) to attest that they were meeting compliance requirements was still there and now working for the new owners.  The former owner had signed the SAQs for years without validating the responses because he assumed his internal resource understood what was required and trusted that the documents were completed accurately.
• The new ownership claimed to have contracted for a PCI audit, and were now suing for remediation costs of over $700,000 to mitigate the controls they had to put in place to meet the PCI compliance requirements.

As we started our analysis of the information we had collected on the call, and the supporting documents, we were struck by several things.  First, the “auditor” hired by the new owners was not a PCI QSA and was not able to perform an actual PCI audit.  Second, the “auditors” company then claimed to have performed remediation costing over $700,000 for a single-location business that didn’t have enough transactions to require an audit, which is why they had filled out SAQs for prior years.  In our experience with much larger retailers, some of whom had a lot of remediation needed to meet PCI compliance when we started working with them, none of them had required that kind of budget for anything that could have been completely remediated in under 6 months.

Things got even more interesting when we had our client’s attorney request a copy of the audit and detailed accounting of the remediation.  An actual PCI DSS audit report was not produced, only some findings in a Word document and an invoice for some new hardware and $502,000 in “remediation” labor.

In the end, our client recognized that he had unintentionally misrepresented his company’s PCI compliance status when he made the sale, and the new owners realized that they had not done due diligence when hiring their “PCI expert”, and they reached an out of court settlement.

What can be learned from this case?

1.  Verify your regulatory compliance/cybersecurity with an outside 3rd party.  Your internal staff may mean well, but if they are not trained and experienced in auditing, you are still ultimately responsible to protect the data in your care.
2.  Perform due diligence by verifying credentials, asking for references, and discussing previous engagements.  PCI makes it easy with a website to confirm credentials for PCI QSAs and QSACs (companies that can perform PCI audits).
3. Maintain Separation of Duties.  Your auditor may be retained to consult to help you through remediation, but should not be the one to sell you the solutions.