PCI Compliance - Liability issue and class action suit
Radiant gets class action filed against it for claiming PCI compliance when it fact it was not.
source link
Nov 23, 2009 – Secret Service Investigation and Class Action Lawsuit Cast Shadow Over Radiant Systems and Louisiana Distributor
Atlanta Company and Distributor Accused of Negligence in Widespread Identity Theft at Restaurants
ATLANTA, November 23, 2009 — Forensic audit investigations conducted by credit company-approved experts concluded that the Louisiana-based distributor for Radiant Systems, Inc. (http://www.radiantsystems.com/) products violated data protocols that directly contributed to security breaches at restaurants in Louisiana and Mississippi. This finding of alleged negligence is at the heart of a collective action lawsuit filed by seven restaurants claiming that hundreds of customers had their identities stolen as a result of poor business practices and faulty software from Radiant and Computer World (the distributor).
The restaurants are seeking millions of dollars in damages from Radiant and Computer World.
“Our clients are restaurants. They are food experts, not technologists. When major players in the hospitality industry such as Radiant Systems and its distributors say their software and business practices are PCI-DSS compliant, our clients trust them,” said Charles Hoff of the Law Offices of Charles Y. Hoff, PC, general counsel for the Georgia Restaurant Association and one of the attorneys acting as a legal advisor to the restaurants in the lawsuit.
Hoff continued: “When those claims of compliance and proper security practices turn out to be false, the restaurants are left to suffer huge financial losses due to financial penalties imposed by the credit card companies. Their reputations are tarnished. We’re determined not to let Radiant and Computer World simply walk away from their responsibilities.”
PCI-DSS is a comprehensive set of technological requirements and consumer protections created by the major credit card companies to safeguard point of sale (POS) systems from hackers and protect consumers from identify theft. POS system vendors must follow these standards, and any business accepting credit cards for payments (such as restaurants) are contractually obligated to use equipment and software from PCI-DSS compliant vendors. The penalties for retailers that have their systems breached can be massive, even if the problems are the fault of the hardware and software vendors.
A special investigation by the United States Secret Service (the agency responsible for investigating cases of credit card fraud and identity theft) was also conducted given the multitude of Radiant POS systems subject to security breaches throughout Louisiana and Mississippi and the findings by the forensic reports that Computer World – exclusive area distributor of Radiant Systems’ “Aloha” POS software - violated PCI-DSS provisions. Among the findings:
1) Restaurants were sold earlier model POS systems although they were represented to be new models;
2) Computer World used a remote access system that did not have adequate security patches – a violation of PCI-DSS standards;
3) Computer World used the same password for at least 200 operators in violation of PCI standards;
4) The distributor failed to remove prior sensitive customer credit data upon installation of Radiant POS systems, again in violation of PCI standards.
As a result, the lawsuit’s plaintiffs are alleging that:
• Radiant Systems’ negligence and failure to either instruct or monitor Computer World’s actions led to systems being compromised and leaving the plaintiffs’ customers vulnerable to identity theft and fraud.
• That Radiant and Computer World were warned by Visa in 2007 that their programs were non-compliant. (The restaurants were unaware of these warnings at the time they purchased the Aloha system.)
• Once the breaches occurred and cases of identity theft and fraud began to appear, Visa, MasterCard and the card processing companies invoked their contracts and directly penalized the restaurants for the actions of Radiant and Computer World. The plaintiffs were hit with huge fines, required to pay for forensic audits to trace the problems, reimbursement of fraud costs to the credit card companies and payments for re-issuance of credit cards to affected individuals.
The lawsuit is seeking compensation to repay the penalties levied by the credit card companies and the massive costs to track down and repair the POS system problems. According to the attorneys, damages “could run well into seven figures”.
The restaurants have filed their lawsuit in the 15th Judicial District Court of Louisiana in Lafayette Parish and “will be seeking to raise awareness of the chaos and financial turmoil caused by companies such as Computer World and Radiant. We want other restaurants nationally to be aware of the hidden dangers posed by these technology companies and the unfair penalties imposed by the credit card companies,” said Shiel Gallagher of Gallagher & Gupta, PC, in Chicago, the second attorney leading the lawsuit.
“These huge companies shouldn’t have the power to destroy these restaurants. It’s a classic David-versus-Goliath story and we’re going to do what we can to protect what these small business owners have struggled to build.”
Posted by staff at December 2, 2009 11:49 AM