The amended complaint was filed on behalf of California credit card holders and card-accepting merchants Wednesday in California Superior Court in San Francisco.
The suit, originally, names as defendants CardSystems, MasterCard, Visa and Merrick Bank, a card-issuing bank that used CardSystems to process transactions. None of the defendants could be reached for comment late Wednesday.
The suit accuses the companies of violating California law by neglecting to secure credit card systems and by failing to inform consumers in a timely manner about a security breach at CardSystems, which.
The suit asks for consumers whose information was exposed to be informed and granted access to a credit-monitoring service. Additionally, according to the suit, credit card companies should waive any charge-back fees or penalties to merchants in the case of fraudulent transactions that involve any of the credit cards involved in the security breach.
Intruders got access to details on about 40 million credit cards. Records covering about 200,000 cards are thought to have been transferred out of CardSystems' network. Credit card companies have said they wouldunless the accounts are actually abused.
The updated complaint also charges that MasterCard, Visa and Merrick Bank knew or should have known that CardSystems failed security audits and did not comply with credit card industry security standards, said Ira Rothken, the San Rafael, Calif., lawyer who filed the suit. Yet they continued to allow the company to process transactions, he said.
"In light of the notion that CardSystems failed multiple security audits, this is much more serious than we originally thought," Rothken said in an interview Wednesday. "We're asking for damages against all the defendants proportionate to their wrongful conduct."
The amended suit also adds Andrew Schultz as a plaintiff. Schultz, a resident of Marin County, Calif., had his Visa debit card data compromised in the CardSystems breach, Rothken said.
The suit was originally filed on behalf of Eric Parke, a holder of several MasterCard and Visa credit cards, and Royal Sleep Clearance Center, a business that accepts the cards. The three plaintiffs seek to represent classes of consumers and merchants.
Retailers may have more to lose than consumers by the lack of notification. If a criminal makes an unauthorized purchase on an individual's card, the cardholder is typically protected. But in many cases, businesses have to cover the loss.
And if consumers aren't alerted, that means the compromised cards could still be active and may be used by criminals.
More defendants could be added as the case proceeds. The suit lists 200 unnamed defendants for that purpose.