The complaint also states that Target outsourced several key security monitoring and management tasks to Trustwave, which then failed to live up to its obligations as a third-party security service provider.
Though Trustwave repeatedly touted its skills as a PCI auditor and a PCI security service provider, the company failed to identify the vulnerabilities in Target's networks that led to the breach, the complaint alleged. Just two months before the breach, Trustwave scanned Target's network and informed the retailer that there were no vulnerabilities present when in fact there were multiple problems.
"Because of these vulnerabilities in Target's security systems -- either undetected or ignored by Trustwave -- hackers were able to take 40 million payment card records, encrypted PINs, and 70 million records containing Target customer information over the course of two weeks," the complaint stated.
Trustwave also provided round-the-clock network monitoring services for Target yet failed to detect the intrusion into the company's networks for a full three weeks.
"Trustwave failed to live up to its promises, or to meet industry standards. Trustwave's failings, in turn, allowed hackers to cause the data breach and to steal Target customers' PII and sensitive payment card information," the two banks claimed.
Jim Huguelet, an independent retail security consultant, said blaming a QSA for a customer breach is somewhat disingenuous.
QSAs, like most auditors, are largely dependent on the information provided to them by clients, he said. If Target did not accurately communicate the details of its network access practices and security controls, Trustwave would have had a hard time finding those details on its own, without extensive and expensive testing.
"If a QSA wants to deeply, independently validate the information that is provided to them by brick-and-mortar retailers with large store footprints, the costs to do this will move from the five- and low six-digit range each year to the high-six and low seven-digit range. Retailers will push back hard."
Any QSA that insists on doing really deep-dive audits will quickly find itself priced out of the market by rivals willing to do a more perfunctory audit for substantially less, he said.
Sign up for Computerworld eNewsletters.