Will Merrick's lawsuit affect PCI auditors?

Merrick Bank Corp. filed suit on May 12, 2008, against Savvis Inc. (formerly Savvis Communications Corp.) alleging negligence and negligent misrepresentation in 2004, when Savvis certified Merrick's processor, CardSystems Solutions Inc., compliant with the Card Information Security Program (CISP), then the prevailing payments industry data security standard. CardSystems was subsequently breached.

CISP was instituted by Visa U.S.A. (now Visa Inc.) and was a precursor to today's Payment Card Industry (PCI) Data Security Standard (DSS).

In the complaint – filed in the United States District Court, Eastern District of Missouri, Eastern Division – Merrick declares it incurred $16 million in damages in the form of payments and assessments to Visa and MasterCard International (Now MasterCard Worldwide) and related legal fees.

Following is a timeline of alleged events in the case. All dates given are stated as "in or about" in the complaint:

• December 2003: Cable & Wireless Inc. submitted a report on compliance (ROC) for CardSystems Solutions Inc., which was not accepted by Visa.
• January 2004: Merrick entered into a processing agreement with CardSystems pending CardSystems' compliance with the CISP.
• January 2004: Merrick entered into negotiations with another acquiring bank (not named in the complaint) to acquire 10 to 15 ISO relationships, most of which processed through CardSystems.
• January 2004: Savvis Inc., which had purchased Cable & Wireless in January 2004, agreed to provide Merrick Bank with an ROC.
• April 2004: Merrick agreed to the terms of the ISO acquisition but deferred execution until after CardSystems' CISP certification.
• June 2004: Savvis issued an ROC to CardSystems and Visa, recommending Visa certify Card Systems, which Visa subsequently did.
• July 2004: Merrick signed a final agreement with CardSystems, with whom it had been negotiating.
• May 2005: CardSystems notified Merrick of a breach in CardSystems' security.

According to Attorney Theodore Monroe, who specializes in the payments industry, the case centers on whether Savvis, through its contract with CardSystems, is liable for damages incurred by a third party (Merrick).

"There may be a question of whether the auditor owed a duty of care to Merrick here or just a duty of care to CardSystems," Monroe said. "And I don't know if that will be an issue here or not.

"The issue that Savvis will likely bring up is that the duty of care does not extend beyond CardSystems."

The allegations

According to the complaint, Visa certified Savvis as a CISP auditor. The complaint further alleges the following:

• Savvis gave CardSystems a passing grade which Visa accepted.
• Visa, in turn, certified CardSystems CISP compliant.
• Merrick, relying on the integrity of the regulatory system and the accuracy of the report, entered into an agreement with a processor it thought to be secure.

The complaint also claims that after the breach, a forensic investigation found the processor to have been noncompliant during the time it was certified CISP-compliant by Savvis. Specifically, the complaint asserts the following:

• Firewalls were not compliant.
• Card transaction data was retained improperly.
• Card transaction data was unencrypted.

The suit also alleges the forensic investigation discovered CardSystems had been "improperly and continuously storing unencrypted card transaction data on its servers for over five years."

The first count of alleged negligence states, "Savvis provided the ROC to Visa knowing and intending that Visa would provide the ROC and its recommendation of 'full compliance' with CISP to banks, like Merrick, then considering a direct contractual relationship with CardSystems and that Visa and such banks would rely thereon."

The second count, negligent misrepresentation, asserts that the ROC was false and misleading. "Savvis failed to use reasonable care and competence in representing that CardSystems was CISP compliant when in fact it was not," the complaint stated.

Aftershocks

Monroe said that if Merrick wins the suit, the card companies will probably make the process of conducting an audit more rigorous, and that may thin out the number of certified auditors.

"Any time you have an auditor, whether it's a financial auditor or an auditor in this context, you've got to be concerned about the auditors just going out there rubber-stamping the client and taking their check," Monroe said. "And I think that's the long-term concern here. You don't want the auditors attesting for things that they haven't done.

"If the auditor does get away with this, they will probably get away with it because they didn't owe a duty of care to Merrick, that it only extends to the entity that they had a contractual relationship with."

Monroe believes if the ruling goes against Merrick, acquiring banks entering into relationships with processors will ask for third-party beneficiary rights. That will give the banks the same right to sue in the event of a breach.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.