IMGCAP(1)]
This article appears in the Dec. 10, 2009 issue of ISO&Agent Weekly.
A lawsuit involving seven Louisiana-based restaurant companies suing Radiant Systems Inc., a point-of-sale system maker, and Computer World Inc., a POS-equipment distributor, provides an example of why ISOs should review contracts between merchants and their acquirers, says one ISO legal advisor.
The seven allege the vendors failed to secure the Radiant POS systems the restaurants used that fraudsters subsequently breached.
The situation is a good example of why ISOs should protect themselves legally when entering into merchant contracts, says Adam Atlas, a Montreal-based attorney with Adam Atlas Attorney at Law. Though ISOs typically can shield themselves from being potential lawsuit defendants because merchant contracts are between merchants and acquirers, it is always best for ISOs to make sure they are not at risk of being sued by breached merchants, Atlas says.
According to the lawsuit, filed in March in the 15th Judicial District Court, Lafayette Parish, in Louisiana, plaintiffs Crawfish Town USA Inc., Don's Seafood & Steak House Inc., Mansy Enterprises LLC, Mel's Diner Part II Inc., Sammy's LLC, Sammy's of Zachary LLC and B.S. & J. Enterprises Inc. each purchased Alpharetta, Ga.-based Radiant's Aloha POS system from Scott, La.-based Computer World and contracts for software updates.
The merchants assumed their POS systems were secure until local law enforcement told them of "a potential compromise" of customer credit card information in spring 2008. The plaintiffs later determined that fraudsters planted keylogging software, which catalogs computer keystrokes, on their POS systems, enabling them to capture payment information, the suit says. The plaintiffs contacted Computer World, which was unable to secure the POS systems, the suit claims.
Computer World did not return ISO&Agent Weekly's requests by deadline.
The merchants ultimately paid unspecified fines to the card brands, the suit says.
The plaintiffs' attorney, Charles Y. Hoff, did not return messages seeking more details by ISO&Agent Weekly's deadline.
A Radiant spokesperson only would say the company believes the allegations against Radiant are without merit, "and we intend to vigorously defend ourselves."
The plaintiffs are asking for more than $50,000 in damages.
Beginning July 1, merchants will have no choice but to use POS systems that are compliant with the Payment Card Industry Payment Application Data Security Standard because Visa Inc. has mandated that merchant payment applications comply by that date.
ISOs that limit their liability often avoid lawsuits, but they also receive less revenue from their merchant relationships, Atlas says. Typically, more risk held by an ISO leads to a greater share of the revenue.
Those that take on more risk may "overlook the possibility that a processor may come after an ISO for fines that merchants are not willing to pay for their own security breaches," Atlas tells ISO&Agent Weekly.
Additionally, if there are fines, it can be difficult to contest them because the card brands have not disclosed publicly the formula for calculating fines, Atlas says.
"Hopefully, there's a rational basis from which they're calculated," he says.
The lawsuit and issues surrounding PCI compliance are good reasons for reviewing merchant contracts carefully, Atlas says.
