Bank sues Savvis over 2005 CardSystems breach

Share this article:
Utah-based Merrick Bank claims to have lost $16 million as a result of a 2005 breach of payment card processor CardSystems Solutions and is now seeking legal restitution from an IT company it hired to audit the processor.

Merrick Bank is suing an information technology firm, Savvis, for negligence in its audit, which deemed the now defunct CardSystems compliant with Visa and MasterCard's card transaction security standards. According to a complaint filed on May 12, 2009 in U.S. District Court, Eastern District of Missouri, before doing business with CardSystems in 2004, Merrick Bank hired Savvis to assess whether the payment processor met Visa and MasterCard's security requirements.

In its audit, Savvis concluded that CardSystems had sufficient security solutions and operated in line with industry best practices. Savvis recommended that CardSystems be recognized as compliant with Visa's Cardholder Information Security Program (CISP), which ensured that payment card processors have a secure network infrastructure in place, and certain security policies and operational procedures are being followed.

Shortly after passing the Savvis audit, CardSystems was listed as CISP-compliant by Visa, and Merrick allowed CardSystems to process transactions.

In 2005, less than a year after being deemed compliant by Savvis, CardSystems experienced a breach in which 40 million accounts were exposed. The breach occurred due to vulnerabilities in the processor's systems, which enabled a malicious hacker to infiltrate CardSystems' network and access cardholder data.

As a result of the breach, Merrick said it has paid out $16 million to Visa and MasterCard, which in turn have paid to issuing banks that suffered fraud as a result of the breach, the complaint states.

“Savvis breached its duty to Merrick by failing to audit CardSystems in a competent and professional manner,” the complaint states.

Merrick's lawsuit charges Savvis with two counts of negligence. Merrick is seeking relief funds from Savvis for an unspecified amount to be determined by the court, if the ruling is in favor of Merrick.

“It is our policy not to comment on litigation,” a Savvis spokesman told SCMagazineUS.com on Thursday.


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.