January 01, 2010
2 minutes on

PCI: Merchants take on providers

A new case could set precedence for a merchant community often overwhelmed by the burden of PCI compliance. A group of restaurants in Louisiana and Mississippi have sued a point-of-sale provider and its distributor alleging the two vendors were actually the ones responsible for a series of data breaches at the eateries.

The plaintiffs contend that Radiant Systems and reseller Computer World manufactured, sold and maintained for them insecure and non-PCI compliant software. This allowed Romanian hackers to remotely login and install malware, enabling them to steal the debit and credit card numbers of customers. The complaint seeks millions of dollars in damages, part of which would be used to recoup fines Visa levied against the seven restaurants following the breach.

A lawsuit of this variety is rare – merchant against point-of-sale provider. However, legal experts said the plaintiffs will be hamstrung by the wording of the contracts, which likely immunize the service providers from liability.

 “If Radiant and Computer World have their contracts buttoned up tight, I think it's going to be an uphill climb,” said Philadelphia attorney Andrew Baer, who advises his retail clients, when negotiating a contract with service providers, to include warranties of PCI compliance and remedies for recovering damages if a breach results from a product defect.

That is not feasible for most merchants, who tend to lack leverage ability and money for counsel, Baer said.
“If you've got a small chain that has one or two stores, I think it's pretty difficult for them to ask the right questions,” said Dave Hogan, CIO of the National Retail Federation, a trade group. “You need to be a security expert.”

Hogan, an outspoken critic of PCI, wants to see technology implemented that would protect credit card data without placing any increased burden on the retailer.

Diana Kelley, founder of consultancy Security Curve, said she understands where the restaurants have a case, considering Visa alerted the two defendants in April 2007 that their systems were non-compliant. The eateries claimed they never learned of the warning, but Kelley said they still are required to perform a PCI assessment, which should have caught the vulnerabilities.

 “We're going to have a judge put some case law on where the accountability does lie,” she said. “It really could change the landscape.”

From the January 2010 Issue of SCMagazine »
Similar Articles

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.