Normally when we discuss a recent project, we review the client’s challenges and objectives and how we helped meet them. This case was a bit different.
We were contacted by one of our Resellers who had a former client who had sold his company at the beginning of 2017. The business was an online retailer, and had been sold to the new owners as PCI compliant. The new owners had a PCI audit performed, were told they were far from compliant, and were suing the former owner for damages in excess of $700,000.
Foresite agreed to take a call with the former owner to see how we could help. He explained that he believed that his business was PCI compliant because his internal IT Director had completed the PCI Self-Assessment Questionnaires each year, and in 2017 he had also signed off as a signature of a C-Level executive is now required. He didn’t really understand what he was signing, but he trusted his resource and so he signed it. He also explained that his company was a single location, gave us the approximate amount of annual credit card transactions, and said he would send over the report he received with the lawsuit notification.
When we received the documentation, we saw a few things that did not seem right. First, the “audit report” was not an official PCI audit report or Prioritized Approach to show the remediation required to become PCI compliant. Instead, it was simply an invoice for $200k in “hardware and software”, and $500k+ for “consulting”. The firm that submitted the invoice as the PCI auditor was also not listed on the PCI Council’s website.
We reached back out to our client, the former owner, and told him this did not add up. In all of our years of experience helping businesses to meet the compliance requirements, we have never seen a remediation cost even close to that for a business that size. Add to that the fact that this was approximately 6 months after the sale of the business, and to accrue over $500k of consulting hours in that amount of time would be highly unlikely. We agreed to “take the case” and work with the client and his lawyer to respond to the lawsuit.
A cross-complaint has been filed based on our input. Although the settlement has not yet been reached, there are a few important lessons to take from this story:
- Have a qualified outside resource validate what you have in place for cyber security/compliance – especially if you have to sign off on it.
- Check credentials when you use an outside resource.
- Bring in the experts if you are served with papers. We may still be able to help you.