Let the games begin.
It seems that Radiant Systems, a point of sale terminal company, and Computer World, the company that sold and maintained the Radiant system, are in a bit of a pickle. Seven restaurants are suing them for producing insecure systems that led to security breaches, which led to fines for the breached companies, chargebacks, card replacement costs, and investigative costs. These are real costs, people, none of that silly “lost business and reputation” garbage.
The credit card companies forced him to hire a forensic team to investigate the breach, which cost him $19,000. Visa then fined his business $5,000 after the forensic investigators found that the Radiant Aloha system was non-compliant. MasterCard levied a $100,000 fine against his restaurant, but opted to waive the fine, due to the circumstances.
Then the chargebacks started arriving. Bond says the thieves racked up $30,000 on 19 card accounts. He had to pay $20,000 and managed to get the remainder dropped. In total, the breach has cost him about $50,000, and he says his fellow plaintiffs have borne similar costs.
The breaches seemed to result from two failures – one by Radiant (who makes the system), and one by Computer World (who installed and maintained it).
- The Radiant system stored magnetic track data unencrypted, a violation of PCI standards.
- Computer World enabled remote access for the system (the control server on premise) using a default username and password.
While I’ve railed against PCI at times, this is an example of how the system can work. By defining a baseline that can be used in civil cases, it really does force the PoS vendors to improve security. This is peripheral to the intent and function of PCI, but beneficial nonetheless. This case also highlights how these issues can affect smaller businesses. If you read the source article, you can feel the anger of the merchants at the system and costs thrust on them by the card companies. Keep in mind, they are already pissed since they have to pay 2-5% on every transaction so you can get your airline miles, fake diamond bracelets, and cheap gift cards.
The quote from the vendor is priceless, and if the accusations in the lawsuit are even close to accurate, totally baseless:
“What we can say is that Radiant takes data security very seriously and that our products are among the most secure in the industry,” Paul Langenbahn, president of Radiant’s hospitality division, told the Atlanta Journal-Constitution. “We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves.”
Maybe they can go join a certain ex-governor from Illinois on the next season of The Celebrity Apprentice, since they are reading from the same playbook.
There are a few lessons in this situation:
- The lines have moved, and PCI now affects civil liability and government regulation.
- PCI compliance, and Internet-based cardholder security, now affect even small merchants, even those without an Internet presence.
- We have a growing body of direct loss measurements (time to revise my Data Breach Costs model).
- We are seeing product liability in action… by the courts, not legislation.
- As with many other breaches, following the most basic security principles could have prevented these.
I think this last quote sums up the merchant side perfectly:
“Radiant just basically hung us out to dry,” he says. “It’s quite obvious to me that they’re at fault… . When you buy a system for $20,000, you feel like you’re getting a state-of-the-art sytem. Then three to four months after I bought the sytem I’m hacked into.”
Reader interactions
24 Replies to “Quick Thoughts on the Point of Sale Security Fail Lawsuit”
@Scott cash is great and all but a real hassle to carry around. From a consumers point of view I think CCs are more secure than cash. My CC gets stolen I am out maybe $50 tops, if I carry more than $50 cash it is all done if it gets taken.
@Anton
I understand it was on the list. I was just raising the question of whether or not it was legitimately on the list. I.e. did the QSA miss something? Or was it properly assed but misinstalled? Or both? Seems weird that track data was being stored and could see it being screwed up in either stage.
Heck- cash also makes you MUCH more aware of how much you are actually spending.
Wow if the VAR was that shady makes you wonder if they where getting paid off or involved with the data theft directly.
Screw PCI, Mastercard and Visa. Deal in cash only! The shops like it and you’ll never put another nickle in the payment processor’s pocket.
If Radiant is the “most secure in the industry” then the industry must be pretty bad.
I don’t know anything about the system but I can see a situation where computer world might be the total culprit. Perhaps they setup the system to store the magnetic track data when they should not have? I guess it will all come out, but it is possible Radiant is the “most secure” but the person setting it up made it the most insecure.
How did this pass an ASV audit though? seems like default passwords are exactly the type of thing quarterly scans should pickup. Perhaps POS makers should be required to submit default user/pass info to scan vendors?
Having worked on numerous forensics cases which involved this POS vendor and others, for restaurants ranging in size from the mom’s and pop’s to the major franchises, I can say with out a doubt, most of these merchants never heard of PCI, it was most likely a line item in their merchant bank’s renewal paper work. To these merchants, they purchased an appliance which was a POS for the use of selling food and drinks. Then they are told they are a Common Point of Purchase and are required to hire a forensics examiner. Most of the times, these mom and pop’s are put out of business due to the legal fees and fines (of the 75 cases I have worked I never knew Visa/Mcard to drop fines). And the most unfair issue is that compared to the large merchants (Fortune 2000) the fines are way out of proportion. We would be seeing $400 Million fines for the largest compromises if PCI Co. were fair.
David, you are falling for the same confusion!
1. The app was “PA-DSS compliant” (from the above) – i.e. it was “on the list”
2. The app was deployed NOT in PCI DSS compliant manner (from all the reports)
The 1 and 2 have very little to do with each other and there is no confusion.
It gets better:
According to http://www.prlog.org/10425165-secret-service-investigation-class-action-lawsuit-cast-shadow-over-radiant-systems-and-distributo.html:
“A special investigation by the United States Secret Service (the agency responsible for investigating cases of credit card fraud and identity theft) was also conducted given the multitude of Radiant POS systems subject to security breaches throughout Louisiana and Mississippi and the findings by the forensic reports that Computer World
Another important angle of this was that (reportedly) it was the PA-DSS compliant app which was deployed (by the sued implementer) in a BLATANTLY non-PCI DSS compliance manner.
Today, some apps from Radiant are on the PA-DSS list now, so we can’t say for sure that the deployed one was PA-DSS OK (it was rumored to be so). However, we do know that it was deployed in non-PCI-compliant manner.
Sadly, many merchant believe that “PA-DSS app confers magic PCI compliance on them: 🙂