Radiant Systems and VAR being sued for Data Compromises
November 25th, 2009 by cmark Posted in PCI DSSA recent press release announced that Radiant Systems and a reseller of their products called Computer World are being sued in a class action suit for “millions of dollars” for issues that resulted in hundreds of instances of identity theft. This is a very interesting wrinkle in the PCI DSS space. Those of us who have been in the PCI world for a while have seen what is alleged in this suit numerous times. According to the press release the company’s Aloha application violated the PCI DSS and the distributed violated provisions, as well. Specifically the suit alleges that Radiant and Computer World were responsible for the following:
1) Restaurants were sold earlier model POS systems although they were represented to be new models;
2) Computer World used a remote access system that did not have adequate security patches – a violation of PCI-DSS standards;
3) Computer World used the same password for at least 200 operators in violation of PCI standards;
4) The distributor failed to remove prior sensitive customer credit data upon installation of Radiant POS systems, again in violation of PCI standards.
This is nothing new but it is about time that VARs are held responsible. I will never forget the Visa class I was teaching several years ago when a very polite older gentleman in the front row explained how is distributer installed his POS incorrectly and he was found to have been storing magnetic stripe data after having suffered a breach. While I am the first to say that companies are responsible for their own security, the vendors also have a responsibility to support their customers in a secure manner.
Additionally, the suit alleges that:
• Radiant Systems’ negligence and failure to either instruct or monitor Computer World’s actions led to systems being compromised and leaving the plaintiffs’ customers vulnerable to identity theft and fraud.
• That Radiant and Computer World were warned by Visa in 2007 that their programs were non-compliant. (The restaurants were unaware of these warnings at the time they purchased the Aloha system.)
Going back to my previous posts, I am a huge proponent of tokenization, and end to end type solutions for this very reason. According to the National Restaurant Association there are nearly 1 million single, serving restaurants in the US. Without removing the data from the merchants’ environment we will continue to see situations like those referenced in the release above. For those looking for such solutions, here is a short list….
ProPay, Shift4, MerchantLink, EPX, TrustCommerce, CyberSource, Payment Processing, Inc., Heartland Payment Systems, First Data (new entrant), BrainTree, 3Delta, (and a few others. If I forgot your company, please comment and I will add). If you manage merchants, I recommend you look for solutions that can simply remove the data from their environment.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
4 Responses to “Radiant Systems and VAR being sued for Data Compromises”
By Brian Grafsgaard on Nov 25, 2009
Please include nuBridges - an encryption and tokenization solution vendor - in the list as well. (QBS is an implementation partner and reseller of nuBridges’ suite of solutions.)
By Jennifer Johnson on Nov 25, 2009
Radiant Systems also just released Aloha POS v6.5 that includes tokenization.
By David Ellis on Nov 26, 2009
I completely agree with the necessity of utilizing secure payment applications and I am big fan of tokenization. In this case, there was a myriad if blunders–I believe the greatest failure occurred as a result of blatantly insecure remote access. The best defense is to keep them out in the first place.
By CJS on Dec 3, 2009
Although I agree that tokenization and end-to-end encryption would resolve many of these situations in theory, the solutions that are available right now are very immature and don’t resolve many of the problems in the retail marketplace. I’ve just reviewed the solutions that you list. Some are tokenization only solutions. Tokenization alone seems to accomplish very little since one of the biggest risk is from skimming data (as in the Radiant case). The only way to avoid that is to use a full end-to-end encryption strategy coupled with tokenization.
The existing solutions for full end-to-end encryption suffer from several problems. First, they tend to support a very limited set of terminals. I have only seen USB magstripe terminals that support end-to-end encryption. Many merchants are using portable terminals and unattended terminals. In addition to the terminal problem we also have the problem of limited back-end processor support. This then leads to the next problem: vendor lock-in. If I go with any of the companies that you list I will be forced to remain with that company as long as I want access to the card data.
Without end-to-end encryption the merchant is required to be PCI-DSS compliant and the vendor is required to be PA-DSS compliant. Although I agree that Radiant seems to have breached the latter, we can’t hold POS vendors accountable for a merchants PCI-DSS compliance. The current standards put that responsibility on the merchant, and it is virtually impossible for a POS vendor to try to remotely act as an IT department for thousands of sites. Unfortunately it is also virtually impossible for small level 4 merchants to be truly PCI compliant, and that is the core problem.
The only solution that I can see that will work is an industry standard end-to-end encryption and tokenization strategy. The only group with the authority to create such a standard and enforce it is the PCI-SSC. So I do think that some of the responsibility lies with them.
That being said, if anyone does happen to know of an end-to-end tokenization strategy that resolves the above problems, I would be most grateful. I have been looking for a very long time.