IMGCAP(1)]
Merrick Bank Corp.'s lawsuit against Savvis Inc., a technology firm that certified breached processor CardSystems Solutions Inc. as compliant with Visa Inc.'s security protocol, has moved to the U.S. District Court for the District of Arizona to make it more convenient to call witnesses. In 2005, Atlanta-based CardSystems said it improperly retained sensitive transaction data when card association rules banned that practice (CardLine, 6/20/05). Hackers found a way to access CardSystems' network and compromised as many as 40 million card-account numbers, the lawsuit says. Draper, Utah-based Merrick filed the lawsuit in the Eastern District of Missouri last year. Savvis is based in Town and Country, Mo. Merrick, a merchant-acquiring bank, retained CardSystems as a processor in 2004 following the Savvis certification of the CardSystems network. Merrick alleges two counts against Savvis: negligence and negligent misrepresentation. In the suit, Merrick alleges less than one year after Savvis said Atlanta-based CardSystems was compliant with Visa's Cardholder Information Security Program, hackers were able to get past a "substandard" firewall and retrieve the card data. Merrick alleges that CardSystems' "inadequate firewalls, improper data retention and failure to encrypt data were all obvious failures to comply with CISP." The suit alleges that the Savvis-issued certificate of compliance was "false and misleading." Attorneys for each party in the suit declined to comment, citing pending litigation. Merrick says it paid $16 million in breach-related penalties to the card brands following the breach. Pay By Touch, a biometrics payment company, later bought CardSystems for $47 million (CardLine, 12/12/05). Pay By Touch has since ceased operating (CardLine, 3/14/08).
