GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

The road ahead for mobile payments


Industry Update

Interchange in federal sights - again

Will Merrick's lawsuit affect PCI auditors?

Respect sought for MLSs

Pulse touts positive debit trends


A bad man gone good

Selling Prepaid

Prepaid in brief

nFinanSe lowers already 'lowest' activation fee

Franchise that closed-loop

Prepaid, quite an opportunity


Interchange debate rages on

Patti Murphy
The Takoma Group

Mobile payments gaining traction - finally

Ben Goretsky
USA ePay


Street SmartsSM:
Raising the networking bar

Jon Perry and Vanessa Lang

Negotiate to get your way

Vicki M. Daughdrill
Small Business Resources LLC

Fallout from the Great Recession

Adam Atlas
Attorney at Law

Stand alone or marry up

Dale S. Laszig
DSL Direct LLC

Want a long-lasting relationship? Snail away

Nancy Drexler
SignaPay Ltd.

Company Profile


Clearent LLC

New Products

Processing in a matrix

Multiple Merchant Account Matrix
Ezic Inc.

Don't kick the machine - call a number

ePort EDGE
USA Technologies Inc.


Welcome your inner dingbat



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

June 22, 2009  •  Issue 09:06:02

previous next

Will Merrick's lawsuit affect PCI auditors?

Merrick Bank Corp. filed suit on May 12, 2008, against Savvis Inc. (formerly Savvis Communications Corp.), alleging negligence and negligent misrepresentation in 2004 when Savvis certified that Merrick's processor, CardSystems Solutions Inc., was compliant with the Card Information Security Program (CISP), then the prevailing payments industry data security standard. CardSystems was subsequently breached.

CISP was instituted by Visa U.S.A. (now Visa Inc.) and was a precursor to today's Payment Card Industry (PCI) Data Security Standard (DSS).

In the complaint - filed in the United States District Court, Eastern District of Missouri, Eastern Division - Merrick declares it incurred $16 million in damages in the form of payments and assessments to Visa and MasterCard International (now MasterCard Worldwide) and related legal fees.

Following is a timeline of alleged events in the case:

According to Attorney Theodore Monroe, who specializes in the payments industry, the case centers on whether Savvis, through its contract with CardSystems, is liable for damages incurred by a third party (Merrick).

"There may be a question of whether the auditor owed a duty of care to Merrick here or just a duty of care to CardSystems," Monroe said. "And I don't know if that will be an issue here or not.

"The issue that Savvis will likely bring up is that the duty of care does not extend beyond CardSystems."

The allegations

According to the complaint, Visa certified Savvis as a CISP auditor. The complaint further alleges the following:

The complaint also claims that after the breach, a forensic investigation found the processor to have been noncompliant during the time it was certified CISP-compliant by Savvis. Specifically, the complaint asserts the following:

The suit also alleges the forensic investigation discovered CardSystems had been "improperly and continuously storing unencrypted card transaction data on its servers for over five years."

The first count of alleged negligence reads, "Savvis provided the ROC to Visa knowing and intending that Visa would provide the ROC and its recommendation of 'full compliance' with CISP to banks, like Merrick, then considering a direct contractual relationship with CardSystems and that Visa and such banks would rely thereon."

The second count, negligent misrepresentation, asserts that the ROC was false and misleading. "Savvis failed to use reasonable care and competence in representing that CardSystems was CISP compliant when in fact it was not," the complaint stated.


Monroe said that if Merrick wins the suit, the card companies will probably make the process of conducting an audit more rigorous, and that may thin out the number of certified auditors.

"Any time you have an auditor, whether it's a financial auditor or an auditor in this context, you've got to be concerned about the auditors just going out there rubber-stamping the client and taking their check," Monroe said. "And I think that's the long-term concern here. You don't want the auditors attesting for things that they haven't done."

Monroe believes if the ruling goes against Merrick, acquiring banks entering into relationships with processors will ask for third-party beneficiary rights. That will give the banks the same right to sue in the event of a breach.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios