Bank sues Savvis over 2005 CardSystems breach

Share this article:
Utah-based Merrick Bank claims to have lost $16 million as a result of a 2005 breach of payment card processor CardSystems Solutions and is now seeking legal restitution from an IT company it hired to audit the processor.

Merrick Bank is suing an information technology firm, Savvis, for negligence in its audit, which deemed the now defunct CardSystems compliant with Visa and MasterCard's card transaction security standards. According to a complaint filed on May 12, 2009 in U.S. District Court, Eastern District of Missouri, before doing business with CardSystems in 2004, Merrick Bank hired Savvis to assess whether the payment processor met Visa and MasterCard's security requirements.

In its audit, Savvis concluded that CardSystems had sufficient security solutions and operated in line with industry best practices. Savvis recommended that CardSystems be recognized as compliant with Visa's Cardholder Information Security Program (CISP), which ensured that payment card processors have a secure network infrastructure in place, and certain security policies and operational procedures are being followed.

Shortly after passing the Savvis audit, CardSystems was listed as CISP-compliant by Visa, and Merrick allowed CardSystems to process transactions.

In 2005, less than a year after being deemed compliant by Savvis, CardSystems experienced a breach in which 40 million accounts were exposed. The breach occurred due to vulnerabilities in the processor's systems, which enabled a malicious hacker to infiltrate CardSystems' network and access cardholder data.

As a result of the breach, Merrick said it has paid out $16 million to Visa and MasterCard, which in turn have paid to issuing banks that suffered fraud as a result of the breach, the complaint states.

“Savvis breached its duty to Merrick by failing to audit CardSystems in a competent and professional manner,” the complaint states.

Merrick's lawsuit charges Savvis with two counts of negligence. Merrick is seeking relief funds from Savvis for an unspecified amount to be determined by the court, if the ruling is in favor of Merrick.

“It is our policy not to comment on litigation,” a Savvis spokesman told on Thursday.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.