Merrick Bank is suing an information technology firm, Savvis, for negligence in its audit, which deemed the now defunct CardSystems compliant with Visa and MasterCard's card transaction security standards. According to a complaint filed on May 12, 2009 in U.S. District Court, Eastern District of Missouri, before doing business with CardSystems in 2004, Merrick Bank hired Savvis to assess whether the payment processor met Visa and MasterCard's security requirements.
In its audit, Savvis concluded that CardSystems had sufficient security solutions and operated in line with industry best practices. Savvis recommended that CardSystems be recognized as compliant with Visa's Cardholder Information Security Program (CISP), which ensured that payment card processors have a secure network infrastructure in place, and certain security policies and operational procedures are being followed.
Shortly after passing the Savvis audit, CardSystems was listed as CISP-compliant by Visa, and Merrick allowed CardSystems to process transactions.
In 2005, less than a year after being deemed compliant by Savvis, CardSystems experienced a breach in which 40 million accounts were exposed. The breach occurred due to vulnerabilities in the processor's systems, which enabled a malicious hacker to infiltrate CardSystems' network and access cardholder data.
As a result of the breach, Merrick said it has paid out $16 million to Visa and MasterCard, which in turn have paid to issuing banks that suffered fraud as a result of the breach, the complaint states.
“Savvis breached its duty to Merrick by failing to audit CardSystems in a competent and professional manner,” the complaint states.
Merrick's lawsuit charges Savvis with two counts of negligence. Merrick is seeking relief funds from Savvis for an unspecified amount to be determined by the court, if the ruling is in favor of Merrick.
“It is our policy not to comment on litigation,” a Savvis spokesman told SCMagazineUS.com on Thursday.