A chain of restaurants in the US is suing its point-of-sale (PoS) supplier for allegedly selling it a malware-infected server and failing to reveal that its system was not PCI-DSS compliant.
Cotton Patch Café first brought its case against Micros, a US company that specialises in the restaurant and hotel industries, back in 2008, after it emerged that customer credit card details had been stolen.
The restaurant chain was later fined $250,000 by Visa and Mastercard for failing to meet the PCI-DSS credit card security standard, according to a report by the Balitmore Business Journal.
The company's orginal lawsuit against Micros alleged that its credit card payment system was never compliant with PCI-DSS, which came into force in 2004, despite reassurances from the company that it was.
Micros "failed to provide a compliant firewall, antiviral software for the system, non-default passwords and failed to encrypt and remove credit card data in accord with [PCI-DSS"], the lawsuit claims.
According to a report by eWeek.com, Cotton Patch Café has since further alleged that in 2006, Micros installed a server “with malware already placed on the system".
This "provided the necessary means for an attacker to take control of the server, install additional malware, identify customer credit card data (including full track data), and exfiltrate that data".
Micros, which repeatedly appealed to have the case dismissed, has described it as "frivolous".