Suit Against Wendy's Cites Lack of EMV

Data Breach , Litigation

New Class Action Claims Restaurant Chain Didn't Do Enough to Prevent Breach Suit Against Wendy's Cites Lack of EMV

In the aftermath of the settlement of banks' post-breach lawsuit against Target, a financial institution is now suing Wendy's seeking to recoup breach-related expenses.

See Also: Rethinking Endpoint Security

The suit against Wendy's alleges, among other things, that the fast-food chain failed to meet industry best practices for securing card data because it was not EMV-compliant at the time of its breach, which is believed to have occurred from Oct. 22, 2015, until March 10, 2016.

In its preliminary 2015 annual report, published Feb. 9, Wendy's confirmed that malware designed to steal payment card data had been discovered on some of the chain's point-of-sale systems.

The lawsuit, filed by Pennsylvania-based First Choice Federal Credit Union on April 25, seeks class-action status on behalf of all affected financial institutions. The suit seeks to have Wendy's compensate affected card issuers for breach-related losses and expenses, such as card-reissuance expenses and paying cardholders for fraud losses. It also asks that the court ensure that Wendy's shores up its security.

The new lawsuit comes on the heels of a consumer class-action suit filed against Wendy's in February seeking compensation for cardholders affected by the breach. Earlier this month, Wendy's filed a motion seeking to have that case dismissed.

Would EMV Have Prevented Breach?

The latest lawsuit against Wendy's makes strong allegations that the restaurant chain's inability to accept EMV cards for payment contributed to the breach. While several card fraud experts say those claims are baseless, one argues they could help bolster the case.

"The payment card industry set rules requiring all businesses to upgrade to new card readers that accept EMV chips," the suit alleges. "Such technology greatly increases payment card security, because if an EMV chip's information is stolen, the unique number cannot be used by the thieves, making it much more difficult for criminals to profit from what is stolen."

The suit goes on to say that the "deadline" for EMV compliance was Oct. 1, 2015. "Wendy's did not meet that deadline," the suit claims.

Avivah Litan, a financial fraud expert and analyst at the consultancy Gartner, offers a harsh assessment of that argument.

"First off, the card brands did not set a hard deadline to switch to EMV - they set a deadline on the [fraud] liability shift," she says. "Also, even if Wendy's had EMV acceptance turned on, they probably would still have been accepting at least 50 percent mag-stripe cards, since that's about the amount of card transactions that would have still been mag-stripe transactions in that time period. Secondly, the litigants are not even recognizing the POS terminal certification backlog that is preventing many merchants, including perhaps Wendy's, from turning on EMV acceptance."

The EMV certification backlog has been highlighted by the Merchant Advisory Group and other retailer associations, which argue that merchants are not to blame for the delay in implementing EMV (see EMV: Chargebacks Hitting Merchants of All Sizes).

Other fraud experts also call into question the lawsuit's EMV-related claims.

Al Pascual, head of fraud and security at Javelin Strategy & Research, notes: "The argument that EMV acceptance was a requirement is something that Wendy's will be sure to jump all over - the card brands have explicitly said otherwise."

And John Buzzard, the former head of FICO's Card Alert Service, who now works as director of product management for security firm Rippleshot Fraud Analytics, points out: "Many merchants, not just Wendy's, are in various stages of accepting chip payments. Likewise, issuers are all over the map with regard to chip issuance. This creates holes in the assumption that a lack of preparedness for EMV would prevent this scenario."

But cybersecurity attorney Chris Pierson, general counsel and CISO for invoicing and payments provider Viewpost, contends that the court may view Wendy's failure to implement EMV as a sign of security weakness.

"This present case before the court alleges that EMV was not in place at Wendy's as a means to demonstrate that the company did not implement 'reasonable security measures' to protect card data as a part of its negligence claim," he says. "If true and the case progresses, this could be relevant to whether Wendy's deployed controls are now considered to be best security practices. An EMV-enabled point-of-sale terminal is certainly one of those controls that is a best practice, and the liability shift that occurs post-breach is an important one to consider."

Neither Visa nor MasterCard responded to Information Security Media Group's request for comment.

A Regional Attack?

The new lawsuit against Wendy's also alleges that because fraud tied to the breach only affected issuers in specific regions of the U.S., the impact to those issuers was greater than fraud losses and expenses they suffered as a result of the Target and Home Depot breaches.

"Unknown perpetrators also specifically targeted and drained debit accounts with large amounts of money in them, concentrating the damages and causing individual financial institutions, such as the plaintiff and members of the class, to suffer losses that are much greater than what was experienced after the Home Depot or Target data breaches," the suit alleges.

But Litan claims that argument is unjustified. "The Target and Home Depot fraudsters 'regionalized' their stolen data so that the stolen cards were bought and used by criminals in the regions where the victimized cardholders also lived. This minimized their chance of being caught."

The lawsuit also implies that Wendy's was not in compliance with the Payment Card Industry Data Security Standard at the time of its breach.

But Pierson argues that "passing PCI-compliance testing has a low correlation rate with whether a compromise can happen. It is, however, true that not being PCI compliant and meeting these hurdles positions a company for a higher than average likelihood of a breach."

Meanwhile, Buzzard argues that card issuers could have played a role in shortening the length of the breach if they had better analytics in place to trace fraud back to Wendy's.

"We just don't manage fraud the same way in 2016 as we did in 2014," Buzzard says. "Less card reissues and way more predictive and preventive fraud strategies is the new mantra."

Wendy's declined to comment about the pending litigation. Attorneys representing the plaintiff did not respond to ISMG's request for comment.