It was only a matter of time before these started. And, can you blame them?
From Wired:
Seven restaurants have sued the maker of a bank card-processing system for failing to secure the product from a Romanian hacker who breached their systems.
The restaurants, located in Louisiana and Mississippi, filed a class-action suit against Georgia-based Radiant Systems for producing a point-of-sale (POS) system that they say was not compliant with payment card industry security standards and resulted in an undetermined number of customers having their debit and credit card numbers stolen.
Were these known issues? I mean when were these systems purchased and when did the restaurants know that the POS systems were failing on security? I’ll be honest I’m surprised that we have not seen more of these lawsuits.
Then I read this passage,
As a result, a hacker, believed to be based in Romania, accessed the systems of at least 19 businesses through the PCAnywhere software, and possibly others plaintiffs say. Once inside, the hacker installed malware to grab card data as it was swiped and send it to an e-mail address in Romania.
Wait, what? PCAnywhere? At this point I’m not willing to call the ne’er do wells “hackers”.
Read on.
I can’t count how many times that I, a coworker, or a business partner has had to tell a customer that the credit card system they paid bottom-of-the-barrel pricing for was not PCI compliant. Hell, I can’t even count how many times we’ve had to tell the vendor that they are required to produce compliant software.
A lot of these vendors use PCAnywhere as the cornerstone of their support. One vendor with which I’ve dealt actively refused to use a VPN and was going to charge several hundred dollars per hour if they couldn’t just connect to a public IP address.