Merrick Bank Corp. filed suit on May 12, 2008, against Savvis Inc. (formerly Savvis Communications Corp.), alleging negligence and negligent misrepresentation in 2004 when Savvis certified that Merrick's processor, CardSystems Solutions Inc., was compliant with the Card Information Security Program (CISP), then the prevailing payments industry data security standard. CardSystems was subsequently breached.
CISP was instituted by Visa U.S.A. (now Visa Inc.) and was a precursor to today's Payment Card Industry (PCI) Data Security Standard (DSS).
In the complaint - filed in the United States District Court, Eastern District of Missouri, Eastern Division - Merrick declares it incurred $16 million in damages in the form of payments and assessments to Visa and MasterCard International (now MasterCard Worldwide) and related legal fees.
Following is a timeline of alleged events in the case:
According to Attorney Theodore Monroe, who specializes in the payments industry, the case centers on whether Savvis, through its contract with CardSystems, is liable for damages incurred by a third party (Merrick).
"There may be a question of whether the auditor owed a duty of care to Merrick here or just a duty of care to CardSystems," Monroe said. "And I don't know if that will be an issue here or not.
"The issue that Savvis will likely bring up is that the duty of care does not extend beyond CardSystems."
According to the complaint, Visa certified Savvis as a CISP auditor. The complaint further alleges the following:
The complaint also claims that after the breach, a forensic investigation found the processor to have been noncompliant during the time it was certified CISP-compliant by Savvis. Specifically, the complaint asserts the following:
The suit also alleges the forensic investigation discovered CardSystems had been "improperly and continuously storing unencrypted card transaction data on its servers for over five years."
The first count of alleged negligence reads, "Savvis provided the ROC to Visa knowing and intending that Visa would provide the ROC and its recommendation of 'full compliance' with CISP to banks, like Merrick, then considering a direct contractual relationship with CardSystems and that Visa and such banks would rely thereon."
The second count, negligent misrepresentation, asserts that the ROC was false and misleading. "Savvis failed to use reasonable care and competence in representing that CardSystems was CISP compliant when in fact it was not," the complaint stated.
Monroe said that if Merrick wins the suit, the card companies will probably make the process of conducting an audit more rigorous, and that may thin out the number of certified auditors.
"Any time you have an auditor, whether it's a financial auditor or an auditor in this context, you've got to be concerned about the auditors just going out there rubber-stamping the client and taking their check," Monroe said. "And I think that's the long-term concern here. You don't want the auditors attesting for things that they haven't done."
Monroe believes if the ruling goes against Merrick, acquiring banks entering into relationships with processors will ask for third-party beneficiary rights. That will give the banks the same right to sue in the event of a breach.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next