After posting about the press release regarding the potential lawsuit (here) I got an email from the PR firm that had sent the release out.  He, in turn, connected me to Charles Hoff - the attorney for the retailer that is considering the suit, Brew HaHa!.  We had a very interesting conversation and, not being a lawyer, I’m not going to make any comments about the merits of any lawsuit that may or may not come from this episode, but, as I said, the conversation was interesting and this is what I can share from that discussion:

I’m not a lawyer, so let’s put this caveat onto everything below -  This is all from one-side of the discussion and it’s all alleged and I don’t support one side or the other in this situation.

• Brew HaHa! purchased a ‘turn-key’ solution from what they understood to be a ‘exclusive’ reseller of the POSitouch POS solution - CC Productions
• It was explained to them that they could utilize a payments solution from Mercury Payments - any alternative to Mercury would cost Brew HaHa! additional money
• Charles claims that Brew HaHa! was not informed that the Mercury solution that was being implemented was not PCI / PA-DSS compliant and that, after the system was implemented, Brew HaHa! noticed that they were being charged a fee to allow Mercury to make the changes needed for their solution to be PCI compliant.  According to Charles, that’s the first time they realized that the solution wasn’t compliant.
• They have had a forensics team in and they determined that malware was present on the environment and that the malware was aggregating cardholder data (among other things)
• There is another, larger merchant that has yet to come forward that may have a similar situation and complaint…

Not a lot really (I’m not a great interviewer - not enough practice), but it did answer some of my questions and raise some more.

Also, Restaurant Data Concepts sent a press release as well - link (the link heads over to the Office Of Inadequate Security site - which is an excellent site btw).  Take a look at the release as it also makes some very interesting points.  Although, I will say that the statement, ‘It is not overly difficult or expensive for a merchant to protect themselves against theft of cardholder information’ is a little unfair - it can get very expensive and quite technically involved for many merchants.  The other line I thought was interesting - ‘A small expenditure to upgrade and secure their system can stave off significant costs and penalties…’

Ultimately it breaks down like this for me:

1. There’s an involved chain of companies/products/services involved here: Restaurant Data Concepts (software) —> CC Productions (hardware/installation/implementation/Mercury resellers maybe as well?) —> Mercury Payments (software?/processing) —>Brew HaHa!(which is responsible for their broader PCI requirements).    Lot’s of places for someone to not do their job with PCI/security.  Lots of places to miss something or to not even realize that something wasn’t getting done by someone else in the chain.
2. There is a responsibility that lies with a software vendor (as documented in PA-DSS), but does that responsibility extend to resellers?  ‘Exclusive’ resellers?
3. When a small merchant without a big IT staff purchases a ‘turn-key’ solution, what does that mean for PCI?
4. If a reseller or a technology vendor doesn’t volunteer the fact that they aren’t PCI compliant (or PA-DSS validated) does that mean anything?  Yes, the retailer should have asked (and really contractually obligated) the vendor regarding compliance, but is the provider responsible for disclosing?  (Either way, it’s a pretty crappy move if it really went down that way).

Regardless - it should continue to be interesting.

Some Additional Info:

Lawsuit Brewing…

Brew HaHa breach no laughing matter