Texas Eatery Chain Sues Micros Over Credit Card Payment System

The restaurant chain alleges that the Micros payment system was delivered with malware and that it led to the theft of customer credit card information.

Micros Systems is being sued by a Texas-based restaurant chain, which alleges that the IT company sold and installed a malware-infected credit card transaction system that captured personal data from the restaurant's customers.

The trial in the case opened July 15 in U.S. District Court in Baltimore, pitting the Grapevine, Texas-based Cotton Patch Cafe chain against Columbia, Md.-based Micros.

In its 12-page complaint, the restaurant chain alleges that Micros sold and installed point-of-sale (POS) and credit card systems in its Nacogdoches, Texas, location in 2001 and that it was subject to many federal standards regulating credit card transactions and security. Micros had full control over the system and its security, the lawsuit alleges, and "explicitly instructed Plaintiff not to tamper with, maintain or service the system in any way."

The federal standards and separate payment card industry data security standards imposed by the major credit card companies and related financial institutions provided "requirements for point-of-sale systems, including requirements for protecting cardholder data, developing and maintaining secure systems and applications, restricting access to cardholder data, tracking and monitoring access to network resources and cardholder data, and regularly testing security systems and processes," according to the lawsuit.

Despite those requirements, the suit alleges, Micros "never advised Plaintiff that the system was not compliant with these statutes and standards even though Defendant was aware that the system was not compliant."

In 2006, officials from Cotton Patch Cafe "inquired about the system's compliance with these uniform standards" and Micros represented that the system "complied or would be made to comply with all standards and particularly with respect to credit card data storage and encryption," according to the lawsuit. "Indeed, Defendant provided services purportedly to inspect and upgrade the system and produced purported 'evidence' that the system was secure and met the required security standards."

In the meantime, Micros "continued to maintain complete control of the system, even replacing a server, continued regular service and maintenance of the system, and continued to fail to advise Plaintiff that the system was not compliant with prevailing standards," the complaint alleges. "This conduct occurred even though Plaintiff's use of a non-compliant system subjected it to possible fines from credit card companies and exposure to theft of its customers' credit card data. Such conduct also occurred even though Defendant was aware of data breaches victimizing other customers with the same type of point-of-sale system and remote access of cardholder data by third parties and subjected Plaintiff to charges and fines from credit card companies and related financial institutions."

The problem became worse in March 2006, according to the lawsuit, when Micros allegedly sold the restaurant a new server and upgraded software installed in the Nacogdoches location "with malware already placed on the system and configured to store full track data in system page files, all in violation of known standards."

That malware "provided the necessary means for an attacker to take control of the Server, install additional malware, identify customer credit card data (including full track data), and exfiltrate that data," the lawsuit continued. The restaurant didn't know the server contained malware and Micros "failed to notify Plaintiff of the malware or prevent its installation."