Restaurant Owners File Lawsuit Over Credit Card Billing Safety Problems
Several restaurant owners in Louisiana and Mississippi are suing two companies that provided them with point-of-sale (POS) computer systems for credit card billing, saying that the systems were unsecure and allowed hackers to steal thousands of customers’ credit card information.
Plaintiffs filed lawsuits in 15th Judicial District Court in Lafayette and in state district court in Baton Rouge earlier this year, alleging that Radiant Systems and Computer World of Louisiana sold them computer systems that were not compliant with industry security standards. The restaurant owners only discovered the problem when credit card companies contacted them and told them they were liable for tens of thousands of dollars in penalties, according to a story by The Advocate and WBRZ News 2 Louisiana.
Officials from the Secret Service and the Georgia Restaurant Association say that there are signs that the credit card billing problem is not limited to Louisiana, and could affect POS systems sold to businesses nationwide, potentially exposing business owners to fines, fees and charge backs for illegal purchases made as a result of having systems that are not compliant with the credit card industry security standards.
Did You Know?
Millions of Philips CPAP Machines Recalled
Philips DreamStation, CPAP and BiPAP machines sold in recent years may pose a risk of cancer, lung damage and other injuries.Learn More
The credit card billing lawsuit alleges that Radiant Systems’ internet-based Aloha POS software had insufficient security measures that allowed hackers to install a key-logger that recorded everything done on the restaurant’s cashier computers. The information was sent to Eastern Europe, where hackers used restaurant customers’ credit cards to make at least $1.2 million in illegal purchases. Secret Service officials say that at least 10,000 customers’ credit cards were exposed by Aloha POS security problems.
The lawsuits also charge that Computer World, the Aloha POS reseller, packaged older software as being new and in compliance with industry security standards, known as the Payment Card Industry Data Security Standard, or PCI-DSS. Computer World also allegedly added a remote access system to the Aloha POS that allowed the company to remotely connect to the restaurants’ computer systems, protected only by the password “computer.”
In 2007 VISA found the Aloha POS to be in violation of PCI-DSS because it stored data about credit cardholders on the system. Investigations by VISA auditors found that some restaurants’ Aloha POS had no anti-virus software at the point of sale terminals, insufficient firewalls, and that the system had been sold as new software by Computer World.
In some cases, restaurant owners were required to pay thousands of dollars to hire a VISA auditor or lose their ability to use credit cards. The restaurant owners were then charged tens of thousands of dollars more by VISA in fines and penalties based on the auditors’ findings.
Secret Service officials recommend that businesses with internet-based POS systems take time to ensure that the systems are compliant with current PCI-DSS security requirements.
The PCI Security Standards Council has a self-assessment questionnaire for merchants concerned about the security of their systems. The questionnaire is available at https://www.pcisecuritystandards.org/saq/index.shtml.
Lawyers are reviewing potential lawsuits for restaurant owners throughout the United States who incurred damages as a result of being sold an out-of-compliant internet-based POS system that allowed customer credit card information to be stolen.
ChrisDecember 30, 2009 at 3:00 am
This article incorrectly states "Internet based" POS. Aloha POS is not an Internet based system. Rather, it is a standard client-server system that can use an existing Internet connect for credit card processing. Furthermore, actually unauthorized access was not the fault of the POS, but of the remote administration software. This is an important point as Aloha is not alone in this configurati[Show More]This article incorrectly states "Internet based" POS. Aloha POS is not an Internet based system. Rather, it is a standard client-server system that can use an existing Internet connect for credit card processing. Furthermore, actually unauthorized access was not the fault of the POS, but of the remote administration software. This is an important point as Aloha is not alone in this configuration. The term "Internet based" more correctly refers to what is now called Cloud computing.. For which there are few available POS systems.
"*" indicates required fields
More Top Stories
The FDA has announced it has received 106,000 medical device reports linked to recalled Philips CPAP devices, including nearly 400 deaths.
The U.S. JPML has consolidated all Tepezza lawsuits over hearing loss before one Northern Illinois federal judge for coordinated pretrial proceedings.
Bard claims two cases selected for the third and fourth bellwether trials are no longer representative of the litigation due to the plaintiffs' worsening injuries and need for additional surgeries due to their failed hernia mesh products.