The class-action suit was filed in California Superior Court in San Francisco against CardSystems Solutions, Visa and MasterCard on behalf of California credit card holders and card-accepting merchants, according to a copy of the suit.
The lawsuit accuses the companies of violating California law by neglecting to secure credit card systems and by failing to inform consumers in a timely manner about the security breach at payment processor CardSystems, which wason June 17 by MasterCard.
In the break-in, intruders got access to details on about 40 million credit cards. Records covering about 200,000 cards are thought to have been transferred out of CardSystems' network. Despite this, credit card companies have said they wouldunless the accounts are actually abused.
The lawsuit asks for CardSystems, Visa and MasterCard to inform consumers whose personal information was exposed and give special notice to those whose data was confirmed stolen. All involved should also get access to a credit-monitoring service, according to the suit.
Additionally, the credit card companies should waive any charge-back fees or penalties to merchants in the case of fraudulent transactions that involve any of the credit cards involved in the security breach, said Ira Rothken, the San Rafael, Calif.-based attorney who filed the suit.
Retailers may have more to lose than consumers by the lack of notification. If a criminal makes an unauthorized purchase on an individual's card, the cardholder is typically protected. Businesses, however, in many cases have to cover the loss.
And if consumers aren't alerted, that means the compromised cards could still be active and may be used by criminals.
"Millions of consumers have had their private credit card data compromised and are just going to have to wait and see to what extent the data will be used fraudulently or exploited it in other ways. This is causing consumers enormous apprehension and concern," Rothken said.
Visa is currently reviewing the lawsuit, company spokeswoman Rosetta Jones said.
"We believe that consumers are protected through our fraud-monitoring technologies as well as our zero-liability fraud policy," she said. Representatives for MasterCard and CardSystems were not immediately available for comment.
Pressure keeps mounting for credit card companies to alert individual consumers. Lawmakers are also fighting forin the event of a data security breach. People should be able to decide themselves if they want to close their account after their personal information has been leaked, lawmakers have said.
The suit was filed on behalf of Eric Parke, an individual holder of several Visa and MasterCard credit cards, and Royal Sleep Clearance Center, a business that accepts the cards. Both seek to represent classes of consumers and merchants, according to the suit.
While CardSystems, Visa and MasterCard are targeted by the suit, more defendants could be added as the case proceeds, Rothken said. The suit lists 200 unnamed defendants for that purpose.