(May 27, 2009) Four years later, the fallout from the notorious CardSystems Solutions Inc. data breach—at the time the biggest hacking of payment card data ever—surfaced last week and looks like it could go on for months or even years. Merchant acquirer Merrick Bank Corp. is suing Savvis Inc., the company that inspected CardSystems before the breach, for alleged negligence because Savvis had concluded that the processor’s security systems met Visa Inc.’s standards.

South Jordan, Utah-based Merrick had signed CardSystems in early 2004 as an independent sales organization and third-party processor. Merrick, an acquirer for about 125,000 merchants, claims in the suit that it suffered $16 million in losses because of the breach in its role as a sponsoring bank for CardSystems into the Visa and MasterCard networks. The breach compromised about 40 million card numbers (Digital Transactions News, June 20, 2005).

Merrick’s lawsuit, which asks for unspecified relief, actually is not new. The bank first filed it a year ago in U.S. District Court in St. Louis. Savvis, formerly known as Savvis Communications Corp., is based in Town & Country, Mo., a suburb. The federal judge in Missouri hearing the case in December denied Savvis’s motion to dismiss it, but did grant the company’s request to move it to Arizona, where Savvis said a number of people and evidence involved in the case are located. CardSystems had operated out of Tucson. The case got onto the Arizona federal court’s docket May 21.

An attorney for Merrick referred Digital Transactions News to the bank’s parent company, Woodbury, N.Y.-based CardWorks Inc. A CardWorks spokesperson said by e-mail that the company would have no comment. A Savvis spokesperson did not respond to a Digital Transactions News request for comment.

The suit says that CardSystems hired Savvis in 2004 to inspect its security systems and submit a report about the processor’s compliance with Visa’s Card Information Security Program (CISP). Such a report was necessary before Visa would accept transactions from CardSystems. CardSystems had hired Cable & Wireless Inc. in 2003 to inspect its security operations, but Visa did not accept C&W’s report. Savvis bought C&W’s processor-auditing business in early 2004 and agreed to do another report, according to the suit. Savvis submitted that report in June of that year, which Visa approved. Merrick said MasterCard’s standards were similar to Visa’s, and with the clean report, the way was cleared for Merrick to sponsor CardSystems’ transactions. The report also enabled Merrick Bank to complete a deal with another acquirer under which Merrick would assume that acquirer’s relationships with 10 to 15 ISOs that processed through CardSystems.

But in May 2005, CardSystems informed Merrick that hackers had breached its computer systems. The suit calls the Savvis inspection report “false and misleading,” and claims Savvis failed to use “reasonable care and competence in representing that CardSystems was CISP-compliant when it fact it was not.” Merrick says its losses resulted from payments to Visa and MasterCard to reimburse their issuers from breach-related fraud, “assessments” for registering a processor out of compliance with security rules, and legal fees. The breach was the first major one involving a card processor and resulted in the demise of CardSystems as an independent company. The now-defunct Solidus Networks Inc., which did business as Pay By Touch, ultimately acquired its assets. But Solidus’s bankruptcy in late 2007 resulted in the sale of that company’s sprawling payments empire to several buyers. Merrick itself bought operating assets of the old CardSystems operation, which had been renamed Pay By Touch Processing Inc., for $2 million (Digital Transactions News, March 28, 2008).