Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations less than a year before the payment processor's systems were hacked, compromising up to 40 million credit card accounts.
Atlanta-based CardSystems - now owned by Pay By Touch - identified a security incident in May 2005 that exposed more than 40 million credit cards to hackers.
The following year the company agreed to settle federal charges that it failed to protect the financial data of millions of consumers. The US Federal Trade Commission (FTC) said the breach "led to millions of dollars in fraudulent purchases".
The FTC concluded CardSystems created unnecessary risks to the information by storing it and failed to ensure that its network was secure from attacks.
Merrick, which is an acquiring bank for around 125,000 merchants, has now filed a federal complaint claiming the breach cost it around $16 million in payments to Visa and MasterCard for using a processor that did not meet their standards as well as payouts to affected banks and legal fees.
Before the breach Merrick agreed to use CardSystems for processor and independent sales services if it proved compliance with Visa and MasterCard security requirements.
The processor asked Savvis to assess and certify its compliance and got the all clear, and consequently the Merrick contract.
Less than a year later the security breach occurred. Merrick says hackers were able to get hold of the data because CardSystems kept unencrypted card information on its servers - in contravention of the regulations for which Savvis certified it.