PHOENIX (CN) – Merrick Bank claims it lost $16 million after hackers compromised as many as 40 million credit card accounts. The bank clams that Savvis, an information technology firm, erroneously assured it that the bank’s processor, CardSystems Solutions, complied with Visa and Mastercard’s security regulations.
Merrick Bank, an acquiring bank for 125,000 merchants, entered into an agreement with CardSystems Solutions to perform processor and independent sales organization services for the bank if it met Visa and MasterCard’s security regulations, according to the bank’s federal complaint.
CardSystems, if approved, would act to “solicit merchants to contract with acquiring banks … and provide maintenance and servicing to such merchants,” giving it access to all of the bank’s cardholder account information.
CarsSystems asked Savvis, a professional service firm, to assess and certify its compliance with credit card security regulations, so CardSystems could work for Merrick. Savvis found that CardSystems had enough security processes in place to meet regulations, so Merrick hired it, according to the complaint.
Less than a year after Merrick hired CardSystems, the processors’ computer systems were hacked into, causing millions of credit card account numbers to be compromised. The hackers were able to access the information because CardSystems kept unencrypted card information on its servers, violating security regulations for which Savvis had certified it, the bank says.
The security breach cost Merrick $16 million in payments to banks that were affected by the breach, and payments to Visa and MasterCard for using a processor that did not follow their security rules, and in legal fees, according to the complaint.
Merrick Bank is represented by Joseph P. Whyte with Heyl, Royster & Voelker of Edwardsville, Ill.