Cisero's Inc., a family-owned small business that runs Cisero's Ristorante and Good Times Bar in Park City, Utah, is going head to head against top-tier acquirer Elavon Inc. in the Third Judicial State Court, Summit County, Utah. And the firm representing Cisero's? None other than Constantine Cannon LLP of "Wal-Mart case" fame. That class action, led by Lloyd Constantine, secured for merchants in 2003 the largest anti-trust settlement in history: $3 billion.
It is not far-fetched to believe this case, which stems from fines assessed because of stolen card data used to commit fraud, could call into question the validity of merchant agreements devised by acquiring banks, operating rules and regulations promulgated by card brands Visa Inc. and MasterCard Worldwide, and the Payment Card Industry (PCI) Data Security Standard (DSS) itself.
In the spring of 2008, Visa and MasterCard, through a "common point of purchase" method, identified Cisero's as the source of a data theft. The card companies deduced some cards that had been counterfeited and employed in fraud events had been used at Cisero's beforehand, and they concluded the card data had been stolen from Cisero's.
Visa claimed the alleged data theft from Cisero's resulted in $1.26 million in "actual fraud" and assessed hefty fines. U.S. Bancorp subsidiary Elavon, as is allowed under its merchant contract, attempted to pass the fines on to Cisero's by deducting funds from the restaurant's merchant account. But after Elavon's withdrawal of $10,000, Cisero's closed the account and refused Elavon's demands for reimbursement. In May 2010, Elavon sued Cisero's, complaining it had "suffered $82,692.29 worth of damage through March 18, 2010." In August 2011, Cisero's filed a counterclaim.
Cissy McComb, owner of Cisero's, said her bank, U.S. Bank N.A., and Elavon wrongfully penalized the restaurant and took money out of the restaurant's bank account for Cisero's alleged violations of the PCI DSS. And in its countersuit, Cisero's noted it had to accept Visa's and MasterCard's terms when it opened in 2001, because it could not survive without being able to accept the payment cards used by most of its customers.
The countersuit stated that when the contract was signed, Visa's rules were not available to merchants, and the PCI DSS was not even enacted. The countersuit also said Cisero's merchant agreement was later "materially changed" without Cisero's consent, yet Cisero's was required to obey rules it had not even seen. Cisero's said it was never told it was required to comply with the PCI DSS.
Cisero's also accused Elavon of imposing fines even after two independent forensic examinations of the POS terminals, paid for by Cisero's, revealed no proof of a breach. The counterclaim further stated Cisero's was never given an opportunity to defend itself or challenge the fines.
The countersuit additionally maintained Visa assessed fines even though it did not follow its own account data compromise recovery (ADCR) rules, which require a minimum of 10,000 unique compromised Visa account numbers before ADCR fines are assessed; if fewer than 10,000 unique account numbers are compromised, an issuer cannot recover losses from a merchant.
Cisero's forensic examinations found unencrypted account numbers on the POS hard drive, but the restaurant said there is no proof this data was compromised, and that with duplicate card numbers eliminated, Cisero's only had 8,107 unique Visa account numbers on its POS.Cisero's also claimed Visa did not explain its ADCR calculations, nor did it support its conclusions with evidence.
"These various shifting numbers based on unexplained calculations demonstrate that the ADCR process is little more than a scheme to extract steep financial penalties from small merchants such as Cisero's for the benefit of Visa," Cisero's stated in its complaint.
MasterCard assessed $15,000 in fines against Cisero's, saying it decided "not to administer an issuer reimbursement process." However, multiple MasterCard issuing banks started proceedings to recover damages from U.S. Bancorp for the alleged fraud.
Cisero's further noted neither Elavon nor its parent company challenged the fines, deciding instead to accept them and pass the costs on to Cisero's.
"These are punitive fines that bear no relation to any amount of actual losses," Cisero's stated. "In fact, Visa and MasterCard will impose these fines even though there has been no fraud loss at all because these fines are profitable to them. ... The penalties are completely at the discretion of interested parties - namely Visa and MasterCard - that profit from this system.
"They are imposed on acquirers, which, pursuant to the indemnification provisions in typical merchant agreements, then help themselves to reimbursement from merchant bank accounts. Merchants have no recourse. There is no process directly available to merchants to challenge the fines, demand proof of noncompliance or present exonerating evidence."
According to Cisero's counterclaim, Bob Russo, General Manager of the PCI Security Standards Council (PCI SSC), confirmed PCI fine amounts are "arbitrary" in a speech he made in Houston in 2011.
Laura Johnson, PCI SSC Communications Manager, neither confirmed nor denied the remark when asked. "The Council is not in the business of compliance or issuing fines," she stated. "Nor do we have any comment on or part in this lawsuit. Enforcement of compliance with the [PCI DSS] and determination of any noncompliance penalties are carried out by the individual payment brands and not by the council."
MasterCard, Elavon and U.S. Bank did not respond to requests for comment. Visa issued a statement which said in part, "In every breach Visa has investigated, security weaknesses could have been addressed with full compliance with PCI DSS. ... Liability assessments are not intended to be punitive, and Visa considers the relative size of the merchant in assessing liability. The ADCR process was developed as an efficient mechanism for ensuring partial compensation to issuers for the losses suffered related to a compromise, including the counterfeit fraud that their cardholders experience."
Brandes Elitch, who is Director of Partner Acquisitions for CrossCheck Inc. and holds a law degree as well, believes the standard merchant contract is a "contract of adhesion." Such a contract is usually a standard form contract that allows for no negotiation because of the unequal bargaining positions of the parties involved. This kind of contract, while not necessarily illegal, is given special scrutiny by courts.
"What is important here is not this plaintiff, Cisero's Restaurant, (although they appear to have done everything possible to prevent/mitigate damages, and would be an ideal plaintiff to put in front of a jury)," Elitch said.
"It is that virtually every small business is in exactly the same situation. Visa put them in this situation, or to be more precise, the half dozen large issuers did, because they did not want to spend the money to replace the outdated mag stripe cards with EMV-chip cards, which would have solved this underlying problem in the first place.
"That was a business decision along the lines of Ford's decision not to relocate the gas tank in the Pinto. Ford calculated their exposure from wrongful death jury verdicts versus what it would have cost them to do the engineering changes, and made an incorrect cost-benefit decision. The same thing happened here."
Elitch said the big payments industry risk in the case is the possibility the court could modify interchange rates "and sharply curtail any profitability in the acquiring industry."
W. Stephen Cannon, a partner in the Constantine Cannon firm and one of the attorneys representing Cisero's, was the co-author of a December 2009 article titled 'The Currency of Progress?' Visa and MasterCard arrogate governmental powers in the name of card system security published in HospitalityLawyer.com's PCI Compliance Newsletter.
In the paper Cannon and his co-author, Michael McCormack of Palma Advisors LLC, stated that PCI DSS enforcement currently assumes regulatory powers and authority that belong only to the government.
"Visa and MasterCard have set themselves up as prosecutor, judge and jury to penalize merchants and others with expressly denominated 'fines,' potentially amounting to hundreds of thousands of dollars - amounts that automatically can be deducted from payments owed to merchants from their card acceptance cash flow," they wrote.
The article asserted many of the same points made in the Cisero's counterclaim and stated the legal ability of the card companies to impose fines has not been settled. "One day, the test case will arise, and merchants should be prepared to act," the article concluded.
In an interview with The Green Sheet, Cannon did not call the Cisero's litigation his test case, but he did say, "Obviously, there are a lot of issues here of large importance." He said litigation is generally too expensive for most merchants to challenge fines - even fines amounting to hundreds of thousands of dollars.
Cannon said Cisero's had no choice but to defend itself in a suit initiated by Elavon.
"There is a question of enforceability of fines and penalties," Cannon said. "What governments can impose, private parties can't. We strongly believe this is a contract of adhesion, but these are very solid claims even if this is not found to be a contract of adhesion."
Cannon's partner Todd Anderson, who is also working on the Cisero's litigation, added, "The system is broken. It is completely disadvantageous to merchants and their customers. There is a cascade of liability flowing downhill, and merchants are left holding the bag. Cisero's is just the tip of the icebe