A sports apparel retailer is fighting back against the arbitrary multi-million-dollar penalties that credit card companies impose on banks and merchants for data breaches by filing a first-of-its-kind $13 million lawsuit against Visa.
The suit takes on the payment card industry’s powerful money-making system of punishing merchants and their banks for breaches, even without evidence that card data was stolen. It accuses Visa of levying legally unenforceable penalties that masquerade as fines and unsupported damages and also accuses Visa of breaching its own contracts with the banks, failing to follow its own rules and procedures for levying penalties and engaging in unfair business practices under California law, where Visa is based.
It’s the first known case to challenge card companies over the self-regulated PCI security standards — a system that requires businesses accepting credit and debit card payments to implement a series of technological steps to secure card data. The controversial system, imposed on merchants by credit card companies like Visa and MasterCard, has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.
When a breach occurs, the card companies collect their fines from the third-party banks that process the card transactions, instead of the merchants, who have more incentive to fight the fines. Third-party banks then simply collect the money from the customer's account or sue them for uncollected balances, using the indemnification clauses in their contracts to justify it. The card companies collect their fines with no hassle and merchants, in the meantime, are left fighting to dispute the fines and get their money back from the card companies.
The lawsuit was filed last week in Tennessee by Genesco, the parent company of more than 2,440 retail stores in North America and parts of Europe that sell footwear and sports apparel under various store names, such as Journeys, Lids Locker Room and Journeys Kidz.
The case revolves around $13 million that was seized from Genesco's merchant bank accounts earlier this year by Wells Fargo and Fifth Third Financial -- two financial firms involved in the processing of bank card transactions that customers made at Genesco stores -- after they were fined by Visa for noncompliance to the PCI standards following a breach of Genesco's network.
In December 2010, Genesco announced that it had been hacked, but provided few details about the breach other than to say it was possible that certain details of cards used in its stores might have been compromised.
In the court documents for its lawsuit against Visa, (.pdf) the company maintains that it found packet-sniffing software on its network but never uncovered forensic evidence that the hackers actually stole any card data.
Nonetheless, Visa accused the company and its banks of violating the Payment Card Industry standards, and fined the banks $5,000 each for noncompliance, then later levied $13.3 million against them for operating expenses incurred over the breach and to recover the cost of fraudulent charges made to the accounts. Visa collected the money this last January from the banks.
Under the PCI standards, merchants are not supposed to store card data, but they may store some parts of the data if they have to, as long as it's encrypted. They may also retain the data in the short term -- for example, temporarily hold it in memory while it's being authorized -- as long as they take care to protect that data.
Genesco's attorney did not respond to a call for comment, but in its complaint against Visa, the company maintains that it never violated these standards and notes that the packet sniffer the hackers installed on its network was designed to intercept unencrypted card data while it was in transit through Genesco's network to the banks for approval. But the company says that because its servers rebooted regularly, log files that may have contained card data would have been overwritten, thus preventing the hackers from obtaining it.
"[R]eboots of the intruded-upon servers in the Genesco cardholder data environment caused any log files that may have contained data relative to those accounts to be overwritten by the intruder(s)' malware prior to the intruder(s)' having an opportunity to exfiltrate those files from Genesco's network," the company asserts. Therefore, "as a result of such overwriting Genesco did not even suffer a possible theft of cardholder data with respect to many of the" accounts cited by Visa."
Following the breach, Visa sent out an alert listing all cards that had been used at Genesco stores between Dec. 4, 2009 and Dec. 1, 2010 "even though there was no forensic evidence that any of those accounts had been compromised," Genesco notes, and subsequently used that list to assess the $13 million in penalties. In fact, Genesco asserts, the evidence showed that some of those accounts specifically were not compromised in the intrusion.
Genesco points out that the banks are not supposed to be liable to Visa for a breach unless at least 10,000 accounts were stolen, the merchant committed a PCI violation that allowed the theft to occur, and the amount of counterfeit fraud on the stolen accounts exceeded the amount of fraud that normally would occur on a card. Genesco maintains that these requirements weren't met, but Visa levied the penalties anyway, violating its own rules and procedures.
Visa did not respond to a call for comment.
Visa is not the only card company to go after Genesco and its banks. MasterCard did as well. The two companies combined imposed $15.6 million in fines and assessments, but Genesco has so far only sued Visa.
Genesco broadcast its plans to sue in January in a filing to the Securities and Exchange Commission. According to that filing, the breach has cost Genesco $2.1 million so far in legal and consulting fees.
While many companies have found themselves in similar circumstances to Genesco, this is the first suit to take on the card companies.
The only other known case similar to this is one was filed last year in Utah by restaurant owners who sued for over $90,000 that was seized from their bank accounts. In that case, however, the plaintiffs sued their financial institution, US Bank, for wrongfully seizing the money from their merchant bank account.
US Bank, which processed the bank card transactions that customers made at the restaurant, seized about $10,000 from the merchant's account to pay $90,000 in fines that Visa and MasterCard imposed after alleging that the restaurant had failed to secure its network and suffered a data breach that resulted in fraudulent charges on customer bank cards. US Bank sued the restaurant owners to obtain the $80,000 balance, and the restaurant owners counter-sued. That case is ongoing.
