PCI: Merchants take on providers

January 8, 2010
A new case could set precedence for a merchant community often overwhelmed by the burden of PCI compliance. A group of restaurants in Louisiana and Mississippi have sued a point-of-sale provider and its distributor alleging the two vendors were actually the ones responsible for a series of data breaches at the eateries.

The plaintiffs contend that Radiant Systems and reseller Computer World manufactured, sold and maintained for them insecure and non-PCI compliant software. This allowed Romanian hackers to remotely login and install malware, enabling them to steal the debit and credit card numbers of customers. The complaint seeks millions of dollars in damages, part of which would be used to recoup fines Visa levied against the seven restaurants following the breach.

A lawsuit of this variety is rare – merchant against point-of-sale provider. However, legal experts said the plaintiffs will be hamstrung by the wording of the contracts, which likely immunize the service providers from liability.

 “If Radiant and Computer World have their contracts buttoned up tight, I think it's going to be an uphill climb,” said Philadelphia attorney Andrew Baer, who advises his retail clients, when negotiating a contract with service providers, to include warranties of PCI compliance and remedies for recovering damages if a breach results from a product defect.

That is not feasible for most merchants, who tend to lack leverage ability and money for counsel, Baer said.
“If you've got a small chain that has one or two stores, I think it's pretty difficult for them to ask the right questions,” said Dave Hogan, CIO of the National Retail Federation, a trade group. “You need to be a security expert.”

Hogan, an outspoken critic of PCI, wants to see technology implemented that would protect credit card data without placing any increased burden on the retailer.

Diana Kelley, founder of consultancy Security Curve, said she understands where the restaurants have a case, considering Visa alerted the two defendants in April 2007 that their systems were non-compliant. The eateries claimed they never learned of the warning, but Kelley said they still are required to perform a PCI assessment, which should have caught the vulnerabilities.

 “We're going to have a judge put some case law on where the accountability does lie,” she said. “It really could change the landscape.”

prestitial ad