Several restaurant owners in Louisiana and Mississippi are suing two companies that provided them with point-of-sale (POS) computer systems for credit card billing, saying that the systems were unsecure and allowed hackers to steal thousands of customers’ credit card information.
Plaintiffs filed lawsuits in 15th Judicial District Court in Lafayette and in state district court in Baton Rouge earlier this year, alleging that Radiant Systems and Computer World of Louisiana sold them computer systems that were not compliant with industry security standards. The restaurant owners only discovered the problem when credit card companies contacted them and told them they were liable for tens of thousands of dollars in penalties, according to a story by The Advocate and WBRZ News 2 Louisiana.
Officials from the Secret Service and the Georgia Restaurant Association say that there are signs that the credit card billing problem is not limited to Louisiana, and could affect POS systems sold to businesses nationwide, potentially exposing business owners to fines, fees and charge backs for illegal purchases made as a result of having systems that are not compliant with the credit card industry security standards.
The credit card billing lawsuit alleges that Radiant Systems’ internet-based Aloha POS software had insufficient security measures that allowed hackers to install a key-logger that recorded everything done on the restaurant’s cashier computers. The information was sent to Eastern Europe, where hackers used restaurant customers’ credit cards to make at least $1.2 million in illegal purchases. Secret Service officials say that at least 10,000 customers’ credit cards were exposed by Aloha POS security problems.
The lawsuits also charge that Computer World, the Aloha POS reseller, packaged older software as being new and in compliance with industry security standards, known as the Payment Card Industry Data Security Standard, or PCI-DSS. Computer World also allegedly added a remote access system to the Aloha POS that allowed the company to remotely connect to the restaurants’ computer systems, protected only by the password “computer.”
In 2007 VISA found the Aloha POS to be in violation of PCI-DSS because it stored data about credit cardholders on the system. Investigations by VISA auditors found that some restaurants’ Aloha POS had no anti-virus software at the point of sale terminals, insufficient firewalls, and that the system had been sold as new software by Computer World.
In some cases, restaurant owners were required to pay thousands of dollars to hire a VISA auditor or lose their ability to use credit cards. The restaurant owners were then charged tens of thousands of dollars more by VISA in fines and penalties based on the auditors’ findings.
Secret Service officials recommend that businesses with internet-based POS systems take time to ensure that the systems are compliant with current PCI-DSS security requirements.
The PCI Security Standards Council has a self-assessment questionnaire for merchants concerned about the security of their systems. The questionnaire is available at https://www.pcisecuritystandards.org/saq/index.shtml.
Lawyers are reviewing potential lawsuits for restaurant owners throughout the United States who incurred damages as a result of being sold an out-of-compliant internet-based POS system that allowed customer credit card information to be stolen.