Restaurant chain sues IT supplier over “malware-infected” PoS system

A chain of restaurants in the US is suing its point-of-sale (PoS) supplier for allegedly selling it a malware-infected server and failing to reveal that its system was not PCI-DSS compliant. 

Cotton Patch Café first brought its case against Micros, a US company that specialises in the restaurant and hotel industries, back in 2008, after it emerged that customer credit card details had been stolen. 

The restaurant chain was later fined $250,000 by Visa and Mastercard for failing to meet the PCI-DSS credit card security standard, according to a report by the Balitmore Business Journal

The company's orginal lawsuit against Micros alleged that its credit card payment system was never compliant with PCI-DSS, which came into force in 2004, despite reassurances from the company that it was. 

Micros "failed to provide a compliant firewall, antiviral software for the system, non-default passwords and failed to encrypt and remove credit card data in accord with [PCI-DSS"], the lawsuit claims. 

According to a report by, Cotton Patch Café has since further alleged that in 2006, Micros installed a server “with malware already placed on the system".

This "provided the necessary means for an attacker to take control of the server, install additional malware, identify customer credit card data (including full track data), and exfiltrate that data". 

Micros, which repeatedly appealed to have the case dismissed, has described it as "frivolous". 

Pete Swabey

Pete Swabey

Pete was Editor of Information Age and head of technology research for Vitesse Media plc from 2005 to 2013, before moving on to be Senior Editor and then Editorial Director at The Economist Intelligence...

Related Topics