Restaurants Sue Vendor After ID Thefts

The suit claims that hundreds of customers had their identities stolen because the restaurants were sold payments terminals that were not PCI-DSS compliant.

The Atlanta-based company and its distributor are accused of negligence in widespread identity theft. The restaurants seek millions of dollars in damages from the two companies for "poor business practices and faulty software" that led to customers' identities being stolen. The restaurants include Best Western, Mel's Diner, Sammy's Grill, Crawfish Town USA, Jone's Creek Cafe, Don's Seafood and Picante's Mexican Grill.

Businesses that accept credit cards for payments are contractually obligated to use equipment and software from PCI-DSS compliant vendors. Charles Hoff, an attorney who is advising the restaurants in the lawsuit, says a special investigation by the United States Secret Service found that Computer World -- exclusive area distributor of Radiant Systems' "Aloha" POS software -- violated PCI-DSS provisions. Hoff is also general counsel for the Georgia Restaurant Association.

The restaurants claim they were sold earlier model POS systems despite being told they were new. Computer World is also accused of violating PCI standards by:

• using a remote access system that did not have adequate security patches;
• using the same password for at least 200 operators;
• failing to remove prior sensitive customer credit data upon installation of Radiant POS systems.

The suit claims Radiant Systems' negligence and failure to either instruct or monitor Computer World's work led to systems being compromised, leaving customers vulnerable to identity theft and fraud. Radiant and Computer World were warned by Visa in 2007 that their programs were non-compliant, but the restaurants didn't know this when they signed for the Aloha system, the suit charges.

The restaurants say they were then hit with fines and had to pay for forensic audits to trace the source of the problems, reimburse fraud costs to the credit card companies and pay for re-issuance of credit cards to affected individuals. The suit seeks compensation to repay the penalties levied by the credit card companies and costs to track down and repair the POS system problems. Visa and MasterCard do not levy fines against merchants but fine their acquirers, who then pass on the cost to the merchants involved.

Hoff says the reputational loss for the restaurants is far greater than the money amounts involved, "When major players in the hospitality industry such as Radiant Systems and its distributors say their software and business practices are PCI-DSS compliant, our clients trust them. When those claims of compliance and proper security practices turn out to be false, the restaurants are left to suffer huge financial losses due to financial penalties imposed by the credit card companies. Their reputations are tarnished. We're determined not to let Radiant and Computer World simply walk away from their responsibilities."

This is not the first suit against Radiant Systems. A similar suit was filed on behalf of Georgia restaurants in April 2009 in Georgia.

"It's a shame it had to come to this," Hoff says. "It is extremely disappointing that in this day a restaurant or merchant hires what they think is a reputable vendor and something like this happens."

Six of the seven restaurants have continued to use the Radiant product, Hoff says, mainly because of the cost involved in replacing point of sale equipment. "Once you install a system it's hard to pull out, and it costs money to replace," he says. One restaurant has resorted to taking only cash -- not credit cards -- at its location.

All seven restaurants are considered Level 4 merchants under PCI, and are the most vulnerable to losses incurred in breaches such as this, Hoff says. "What really hurts them is these are all single-owner operations or franchises. They don't have a large corporate body to fall back on for help."