A group of US restaurants have filed a class action lawsuit against POS vendor Radiant Systems and its distributor Computer World, claiming hundreds of their customers had their identities stolen as a result of payments terminals that were not PCI-DSS compliant.
The seven restaurants in Louisiana and Mississippi are seeking millions of dollars in damages from Radiant and Computer World for "poor business practices and faulty software" that led to diners having their identities stolen.
Businesses accepting credit cards for payments are contractually obligated to use equipment and software from PCI-DSS compliant vendors.
In a statement, Charles Hoff, one of the attorneys acting as a legal advisor to the restaurants in the lawsuit, says a special investigation by the United States Secret Service found that Computer World - exclusive area distributor of Radiant Systems' "Aloha" POS software - violated PCI-DSS provisions.
The plaintiffs allege they were sold earlier model POS systems despite being told they were new. In addition, Computer World is accused of violating PCI standards by using a remote access system that did not have adequate security patches, using the same password for at least 200 operators, and failing to remove prior sensitive customer credit data upon installation of Radiant POS systems.
As a result, the lawsuit's plaintiffs are alleging that Radiant Systems' negligence and failure to either instruct or monitor Computer World's actions led to systems being compromised, leaving customers vulnerable to identity theft and fraud.
The suit also says Radiant and Computer World were warned by Visa in 2007 that their programs were non-compliant, although the restaurants were not aware of this when they signed for the Aloha system.
The restaurants say that this contributed to customers having their identities stolen, which led to Visa, MasterCard and the card processing companies invoking their contracts and directly penalised them.
The plaintiffs say they were "hit with huge fines", required to pay for forensic audits to trace the problems, reimburse fraud costs to the credit card companies and pay for re-issuance of credit cards to affected individuals.
The suit is seeking compensation to repay the penalties levied by the credit card companies and costs to track down and repair the POS system problems.
Says Hoff: "When major players in the hospitality industry such as Radiant Systems and its distributors say their software and business practices are PCI-DSS compliant, our clients trust them. When those claims of compliance and proper security practices turn out to be false, the restaurants are left to suffer huge financial losses due to financial penalties imposed by the credit card companies. Their reputations are tarnished. We're determined not to let Radiant and Computer World simply walk away from their responsibilities."