The owners of a small restaurant in Park City, Utah, are standing up to a large bank and card-processing company in court.
The restaurateurs claim funds were taken from them without their knowledge to cover fines for alleged Payment Card Industry data security compliance violations. Moreover, no one has even proved a breach occurred, the restaurant owners allege.
Stephen and Theodora McComb, owners of Cisero’s Ristorante and Nightclub, are preparing to face Elavon Inc. and parent U.S. Bancorp in a Utah court to contest the removal of $10,000 from their business account. The withdrawal came after Visa Inc. and MasterCard Worldwide levied fines against Elavon for failing to comply with PCI.
Elavon then sued Cisero’s to cover the fines because hackers allegedly obtained unencrypted credit card data stored in the restaurant’s payment system. U.S. Bancorp declined to comment.
Because the McCombs claim Elavon took funds without telling them and that investigations did not prove a breach occurred, the case addresses merchant and processor relationships.
Under scrutiny are the methods of proving a breach took place, how card brands determine how many cards are compromised, how they establish fines, how a merchant is supposed to respond to a breach, how a processor or issuing bank communicates contract particulars or changes, and whether the merchant-processor contract allows for removal of funds from a merchant account to cover fines without the merchant’s consent.
The case is attracting attention, partly because Washington, D.C.-based Constantine Cannon LLP law firm will represent Cisero’s. Partner Lloyd Constantine was the lead attorney in the so-called Wal-Mart merchant antitrust suit challenging the “honor-all cards” rules of Visa Inc. and MasterCard Worldwide that resulted in the card brands settling with merchants for a combined $3.05 billion.
With that kind of legal firepower backing the restaurant, the case has “a different feel,” observes merchant acquiring consultant Paul Martaus of Mountain Home, Ark.-based Martaus & Associates.
“The unique thing about this countersuit is that it is in the public eye, and many in the industry know about it,” Martaus says. “Usually, cases similar to this are managed quietly and carefully.”
The McCombs make a strong case against the processes that led to their $90,000 in fines, Martaus says. “It is truly a David versus Goliath type of thing,” he adds. “I’m not a lawyer, but I know the law doesn’t necessarily provide a full level of justice, and this case is ripe for an explosive solution.”
An “explosive” outcome might involve a ruling against the card processor and bank, bringing into question the contracts signed with merchants. And it also could shed light on how card networks investigate suspected card breaches.
Cisero’s lawyer Stephen Cannon says a key element centers on the breach investigations that the card networks approved, and the McCombs paid for, that they claim showed no breach took place.
Yet the card networks fined Elavon, which in turn, and under contract protection, fined Cisero’s, Cannon says.
“Many questions come up as to how Visa concluded how much card data was exposed, when the McCombs’ findings are less than 8,000 cards, or less than the 10,000 card threshold Visa sets as its guideline for assessing fines,” Cannon says.
Still, the McCombs contend in the lawsuit that even though the card networks associate 8,000 cards in the Cisero’s customer database with fraudulent card use, they have no proof the data were obtained through a breach of the restaurant’s payment system; the breach could have occurred elsewhere, Cannon contends.
Ultimately, the judge and jury will rule on where the liability falls in such cases, and that’s generally not with the card networks, says Brian Riley, senior research director and analyst with Needham, Mass.-based TowerGroup.
“If this is a flaw in the software of the system that allowed unencrypted card data to be stored in the system, that’s not the networks’ problem,” Riley says. “The law points to the merchants at the end of the day.”
But that may not stop merchants from having their day in court.
Indeed, Los Angeles attorney Nicholas Hornberger says he handled a similar case in which his client sued Visa directly in San Diego. In that case, $500,000 was removed from an account of Welk Resorts of San Diego to cover breach fines, and Visa provided Welk Resorts with no recourse to state its PCI compliance or seek options to pay such a large fine. The case was settled out of court, and Hornberger could not disclose details of that settlement.
The case centered on a June 2009 breach in which hackers installed malicious software in the Welk Resorts payment system after a software provider allegedly left a default password in the system that hackers uncovered, Hornberger says. Hackers obtained data from up to 1,400 cards before the resort owners could pinpoint the password problem, he adds.
After an investigation by a Visa-certified qualified incident response assessor, Visa and MasterCard issued initial fines of about $17,000. But New York-based processor Renaissance Associates came back nine months later, saying Visa declared the resort “was eligible” for account data compromise recovery fines of $500,000, which had been taken from the resort’s JPMorgan Chase & Co. account, Hornberger says. Renaissance did not explain why it took Visa nine months to declare the fine, he adds.
Welk Resorts viewed the money grab as unfair and sued on the basis of having no due process to object to the fines and no follow-up or hearing process related to the fines, Hornberger says.
California payments lawyer Paul Rianda says the Cisero’s case “shows other merchants that they can fight these types of fees and fines.”
In fact, the case brings into question the entire structure of fines for other issues, such as charge-backs, Rianda says.
“To the extent the merchant is successful, it could lead to class-action litigation on the issue of the enforceability of these types of fines and fees,” Rianda adds.
But Rianda says a high burden of proof falls on the merchant as to whether the contract itself is a problem.
“In most states the question is whether or not the contract is ‘unconscionable,’” Rianda notes. “Because this is a commercial setting, and not a consumer case, it is hard to prove any of the provisions of the contract are unconscionable given the higher burden of proof in commercial cases.”