The Green Sheet Online Edition
April 08, 2013 • Issue 13:04:01
Visa faces challenges to breach fines
A complaint filed March 7, 2013, in the U.S. Middle District of Tennessee challenges fines Visa Inc. assessed after sports apparel retailer Genesco Inc. reported a data breach in its computer system.
The retailer claims the card company has no evidence that stored customer data was taken from company computers; therefore no industry security rules were violated, and the card company had no reason to assess fines. These allegations are similar to those made against Visa in Utah state court by Cisero's Ristorante Inc. of Park City, Utah, in 2011.
Genesco breach led to fines
In December 2010, criminals intercepted unencrypted data as it was being transmitted by Genesco to its financial institution and processor. The thieves used malware inserted into the Genesco system to acquire the data.
Genesco claims that, according to Payment Card Industry (PCI) Data Security Standard (DSS) security protocols "and consistent with longstanding and pervasive industry practice, the payment card account data required for approval of a mag-stripe-swipe transaction is permitted to be transmitted in unencrypted form during the transaction approval process."
Genesco also stated that at no time did the thieves gain access to stored payment card information in its network. It further said there is no forensic evidence that any accounts on its computers were compromised by the thieves and, because it lost no stored data, it is in compliance with the PCI DSS and not subject to Visa fines.
"Visa breached its contracts with the acquiring banks and violated applicable law by imposing and collecting the non-compliance fines and issuer reimbursement assessments, because the non-compliance fines and issuer reimbursement assessments are not authorized by the Visa International Operating Regulations (VIOR)," the complaint said.
Genesco reported it paid $13,298,900.16 in assessments and noncompliance fines directly or as a result of indemnity obligations it has with its acquiring banks. Genesco's bank and acquirer, Wells Fargo Bank N.A. and Fifth Third Financial Corp., respectively, have assigned to Genesco all rights to statutory and equitable claims against Visa in this matter.
Similarities to Utah case
In the Utah case, Cisero's claims it was unlawfully assessed fines after a 2008 investigation of an alleged data breach at the restaurant concluded $1.2 million in fraud losses were attributable to the theft of unprotected credit card data from the restaurant's computer system. However, Cisero's claims it paid for two independent forensic examinations of its computer system, both of which failed to find that any card information stored on its system was breached.
Cisero's allegations are in a counter claim it filed in response to a suit filed against it by its acquirer, Elavon Inc. The acquirer is suing Cisero's to recover $82,000 in fines imposed after a card company investigation deduced fraud losses stemmed from data stolen from the restaurant's computers.
Cisero's claims its merchant services contract with Elavon that allows the acquirer to pass on fines to the restaurant imposed by Visa following a data breach is an unfair contract of adhesion that the restaurant had no choice but to sign if it wanted to continue as a viable business. The allegedly unfair contract nullifies its merchant services agreement and the restaurant is not liable for data breach fines, the counter claim asserts. Cisero's also stated Elavon accepted fines without providing the restaurant an adequate way to defend itself or challenge the assessments.
Genesco's filing and Cisero's claim
Steve Cannon is an attorney representing Cisero's and Chairman of the Washington, D.C. , law firm Constantine Cannon, the firm that negotiated a $3 billion antitrust settlement for national retailers with Visa and MasterCard Worldwide in 2003. Cannon noted that the Cisero's claim is similar to Genesco's in that they both charge the VIOR are not enforceable and the fines and penalties are invalid.
Cannon pointed out that the unenforceability of the indemnification agreement with the acquirer is significantly not an issue in the Genesco case because the acquirer and bank signed over claim rights. "Our litigation is against U.S. Bank and Elavon. They started it," he said. "Genesco is skipping the banks and going right to Visa. Cisero's is different. We were the respondent." Cannon noted that both cases not only contend the breach fines are unenforceable, but they also question how Visa calculates fine assessments.
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.