Retailers Sue POS Vendor, Questions Raised Where PCI Duties Stop

Now that a PCI lawsuit brought by four restaurants against a POS vendor and a systems integrator has been given class-action status, the case will survive and force a very interesting debate about exactly where a retailer's PCI liability should start.

The case involves four Louisiana restaurant groups—doing business as Crawfish Town USA, Don's Seafood and Steakhouse, Picante’s Mexican Restaurant, Mel’s Diner Part II and Sammy’s Grill—suing their POS vendor, Radiant Systems (which owns the Aloha POS systems used by these chains), along with systems integrator Computer World (not to be confused with the publication Computerworld).

The accusation in the lawsuit is primarily that Radiant told customers that its Aloha POS systems were compliant with PCI when in fact that system wasn't. Computer World is accused of having violated more PCI rules and, as a result, these restaurants were breached. The lawsuit says that Visa had identified Aloha "as a payment application that stored prohibited data, such as full magnetic stripe data (including card verification and PIN data), after a transaction authorization was completed" but that Radiant continued to say that Aloha was PCI compliant.

"After the problems were identified and corrected, Plaintiffs were fined by credit card companies for failing to comply with the PCI Data Security Standards and/or their Payment Application Best Practices (PABP)," the lawsuit says. (OK, we all know that credit card companies can’t fine retailers. The card brands fined the processors, which passed along the fees.)

But when you drill into the details of the lawsuit, it gets more interesting. One of the key accusations against Computer World is that it used vendor default passwords for systems with many of these restaurants, for easier remote administration. The lawsuit correctly points out that PCI bans retailers from using such vendor default passwords.

But that's the key. It's the retailers that are not permitted to use these defaults. Was integrator Computer World, in this scenario, acting as an agent of the POS manufacturer—as a reseller—or as an agent of the retailer--as an integrator? If the latter, it means that the restaurants were paying Computer World to handle their IT for them, which would suggest that Computer World would be obligated to abide by PCI retailer rules.

But if you see Computer World as an agent of Radiant (as a reseller, that's a legitimate interpretation), then the restaurants retained the responsibility. Did Computer World ask for permission from the restaurants to use those default passwords? If yes, did the integrator explain to the restaurants the implications of that question, in terms of both PCI compliance and actual security?

The fact that these retailers were relatively tiny chains will also prove interesting. A McDonald's or Pizza Hut would be expected to have professional IT expertise inhouse. But Sammy's Grill? These retailers rely on integrators and consultants for more than counsel and help. They expect these specialists to take over any and all IT functions, which—interestingly enough—could mean that some of the PCI retailer responsibilities might move with them.

Still, PCI rules are clear on this point: If a retailer chooses to accept credit cards, that business is also agreeing to abide by the rules. That responsibility can't be outsourced. Whether it makes sense for these chains to have the PCI responsibility is a debatable issue. But for now, the PCI rules are clear, as is the responsibility.