The plaintiffs contend that Radiant Systems and reseller Computer World manufactured, sold and maintained for them insecure and non-PCI compliant software. This allowed Romanian hackers to remotely login and install malware, enabling them to steal the debit and credit card numbers of customers. The complaint seeks millions of dollars in damages, part of which would be used to recoup fines Visa levied against the seven restaurants following the breach.A lawsuit of this variety is rare – merchant against point-of-sale provider. However, legal experts said the plaintiffs will be hamstrung by the wording of the contracts, which likely immunize the service providers from liability.
“If Radiant and Computer World have their contracts buttoned up tight, I think it's going to be an uphill climb,” said Philadelphia attorney Andrew Baer, who advises his retail clients, when negotiating a contract with service providers, to include warranties of PCI compliance and remedies for recovering damages if a breach results from a product defect.That is not feasible for most merchants, who tend to lack leverage ability and money for counsel, Baer said.
Hogan, an outspoken critic of PCI, wants to see technology implemented that would protect credit card data without placing any increased burden on the retailer.
Diana Kelley, founder of consultancy Security Curve, said she understands where the restaurants have a case, considering Visa alerted the two defendants in April 2007 that their systems were non-compliant. The eateries claimed they never learned of the warning, but Kelley said they still are required to perform a PCI assessment, which should have caught the vulnerabilities.“We're going to have a judge put some case law on where the accountability does lie,” she said. “It really could change the landscape.”