Does Merrick have a case against Savvis?

Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations.

However, do they have a case?

The PCI Data Security Standard Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Approved Scanning Vendors (ASVs) are recognised by the PCI Security Standards Council (PCI SSC) to perform PCI data security scanning, whilst Qualified Security Assessors (QSAs) are recognised by the PCI SSC to perform PCI data security assessments.

The SAQ considers the 12 PCI DSS Requirements as one-liner’s – eg No. 3 “Protect stored cardholder data” or  No. 9 “Restrict physical access to cardholder data” – that’s it. It’s entirely at the Merchant/Service Providers internal discretion as to how diligently they conduct the self assessment

Service Providers such as Checkpoint would only be required to perform an annual SAQ, and have a quarterly Network scan by an ASV.

I can find no evidence that Savvis was ever on the list of QSAs in their own right. Savvis still offer a PCI Compliance service in which they partner with an unnamed ASV – but who is not described in the literature as a QSA.

So a case could be made that Merrick should have done their homework on PCI DSS before selecting Savvis; if they wanted more than just a Network Scan, but wanted assurance that Cardholder data was protected, then they should have commissioned a Report on Compliance by a QSA.

caveat emptor