Seven restaurant chains that suffered data breaches are suing the maker and distributor of a bank card processing system, which they say was vulnerable and allowed hackers to steal customer information.
The restaurants, located in Louisiana and Mississippi, have filed a class-action lawsuit against Georgia-based point-of-sale (POS) vendor Radiant Systems and its distributor Computer World, based in Louisiana.
Radiant and Computer Worlds’ business practices and POS software was in violation of the Payment Card Industry Data Security Standard (PCI-DSS), according to the lawsuit. The victimized restaurants all were using Radiant Systems’ Aloha POS system, on which hackers, believed to originate from Romania, were able to install keyloggers and steal credit card numbers resulting in hundreds of customers becoming victims of identity theft.
Radiant and Computer World were warned in 2007 by Visa that the Aloha POS system unnecessarily stored sensitive cardholder data, including card verification and PIN numbers, which was in violation of the PCI-DSS and made the software a viable target for data breaches, according to the plaintiff’s petition for damages. Around the same time, Computer World, which sold the Aloha POS software, advertised the system as compliant with the PCI-DSS.
“What we would like to see is for vendors to be more responsible to the merchants,” Charles Hoff, lawyer for the Georgia Restaurant Association and one of the plaintiff restaurants, told SCMagazineUS.com on Wednesday. “Merchants have their own responsibilities under PCI. When they entrust to reputable point-of-sale vendors that they are going to be doing everything correctly pursuant to PCI, then the vendors need to be accountable to the merchants.”
Under the PCI-DSS guidelines, merchants are required to develop and maintain secure systems and applications.
The PCI standard that applies to vendors of POS systems is the Payment Application Data Security Standard (PA-DSS), which states that software vendors must develop secure payment applications that do not store certain sensitive data and maintain compliance with the PCI-DSS. The PCI Security Standards Council, which manages PCI DSS, took over administration of PA-DSS in 2008. At least one card brand — Visa — requires merchants to use only certified payment application providers.
The victim restaurants are seeking millions of dollars in damages to repay penalties and fines imposed by credit card companies as a result of the breaches, which happened more than two years ago, in addition to the forensic review costs they incurred.
The lawsuit contends that in addition to selling vulnerable POS systems, Computer World failed to remove prior sensitive customer data upon installation of the Aloha POS systems. Also, to repair the Aloha product off-site, Computer World used a remote access system that did not have adequate security patches.
“A number of practices were contrary to the PCI standards,” Hoff said.
In a statement sent to SCMagazineUS.com on Tuesday, Radiant Systems said: “Unfortunately in today’s world, criminal acts like these are not uncommon in the restaurant industry. What we can say is that Radiant takes data security very seriously and that our products are among the most secure in the industry. We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves.”
Contact information for Computer World could not be obtained. The PCI Security Standards Council declined comment.
Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazineUS.com on Wednesday that the lawsuit highlights communication problems within the PCI compliance process.
“I personally don’t think it’s right to hold the restaurant accountable,” she said. “It’s not right to fine the restaurants when they are not security experts. They are not in the business of security. They are in the business of selling food. They don’t have the means to test the software in the system to see if it’s storing sensitive data. They just have to believe the vendor.”
Merchants should ensure that their payment applications are on the PCI council’s list of certified providers, Litan recommended. In addition, when contracting with technology and service providers, merchants should ensure the POS vendor assumes liability if a breach occurs.
The plaintiffs in the lawsuit are Crawfish Town USA, Don’s Seafood & Steak House, Jones Creek Café and Oyster bar, Mel’s Diner, Picante’s Mexican Restaurant, and two Sammy’s Grill restaurants.