Can the owners of a small restaurant in Park City, Utah, stand up to a large bank and card-processing company in a court of law? The restaurateurs claim funds were taken from them without their knowledge to cover fines for alleged Payment Card Industry data security compliance violations. Moreover, no one has even proved a breach occurred, the restaurant owners allege.
Industry analysts are contemplating that scenario as Stephen and Theodora McComb, owners of Cisero’s Ristorante and Nightclub, prepare to face Elavon Inc. and parent U.S. Bancorp in a Utah court to contest the removal of $10,000 from their business account. The withdrawal came after Visa Inc. and MasterCard Worldwide levied fines for failing to comply with PCI in the wake of an alleged data breach.
A number of twists and turns led Elavon to sue Cisero’s to cover fines levied against Elavon because hackers allegedly obtained unencrypted credit card data stored in the restaurant’s payment system.
Because the McCombs claim Elavon took funds without telling them and that follow-up investigations did not prove a breach occurred, the case addresses key questions about merchant and processor relationships.
Under scrutiny are the methods for proving whether a breach took place, how card brands determine how many cards are compromised, how they establish fines, how a merchant is supposed to respond to a breach, how a processor or issuing bank communicates contract particulars or changes, and whether the merchant-processor contract allows for removal of funds from a merchant account to cover fines without the merchant’s consent.
The case is attracting attention, partly because Washington, D.C.-based Constantine Cannon LLP law firm will represent Cisero’s. Partner Lloyd Constantine was the lead attorney in the so-called Wal-Mart merchant antitrust suit challenging the “honor-all cards” rules of Visa Inc. and MasterCard Worldwide that resulted in the card brands settling with merchants for a combined $3.05 billion.
With that kind of legal firepower backing the restaurant, the case has “a different feel,” merchant acquiring consultant Paul Martaus of Mountain Home, Ark.-based Martaus & Associates tells ISO&Agent Weekly.
“The unique thing about this countersuit is that it is in the public eye, and many in the industry know about it,” Martaus says. “Usually, cases similar to this are managed quietly and carefully.”
The McCombs make a strong case against the processes that led to their $90,000 in fines, Martaus says. “It is truly a David versus Goliath type of thing,” he adds. “I’m not a lawyer, but I know the law doesn’t necessarily provide a full level of justice, and this case is ripe for an explosive solution.”
Such an outcome likely would involve a ruling against the card processor and bank, bringing into question the contracts signed with merchants. And it also could shed light on how card networks investigate suspected card breaches.
Cisero’s lawyer Stephen Cannon says the case has several key elements, not the least of which centers on the breach investigations that the card networks approved, and the McCombs paid for, that they claim resulted in showing that no breach even took place.
Yet the card networks went ahead and fined Elavon, which in turn, and under contract protection, fined Cisero’s, Cannon tells ISO&Agent Weekly.
“Many questions come up as to how Visa concluded how much card data was exposed, when the McCombs’ findings are less than 8,000 cards, or less than the 10,000 card threshold Visa sets as its guideline for assessing fines,” Cannon says.
Still, McCombs contend in the lawsuit contends that, even though the card networks associate 8,000 cards in the Cisero’s customer database with fraudulent card use, there is no proof the data were obtained through a breach of the restaurant’s payment system; the breach could have occurred elsewhere, Cannon contends.
Ultimately, the judge and jury will have to rule on where the liability falls in such cases, and that’s generally not with the card networks, Brian Riley, senior research director and analyst with Needham, Mass.-based TowerGroup, tells ISO&Agent Weekly.
“If this is a flaw in the software of the system that allowed unencrypted card data to be stored in the system, that’s not the networks’ problem,” Riley says. “The law points to the merchants at the end of the day.”
But that may not stop merchants from having their day in court.
Indeed, Los Angeles attorney Nicholas Hornberger says he handled a similar case in which his client sued Visa directly in San Diego. In that case, $500,000 was removed from an account at Welk Resorts of San Diego to cover breach fines, and Visa provided Welk Resorts with no recourse to state its PCI compliance or seek options to pay such a large fine. The case was settled out of court, and Hornberger could not disclose details of that settlement.
The case centered on a June 2009 breach in which hackers were able to install malicious software in the Welk Resorts payment system because software provider Micros Corp. allegedly left a default password in the system that hackers uncovered, Hornberger says. Hackers obtained data from up to 1,400 cards before the resort owners could pinpoint the password problem, he adds.
After an investigation from a Visa-certified qualified incident response assessor, Visa and MasterCard issued initial fines totaling no more than $17,000. But New York-based processor Renaissance Associates came back nine months later, saying Visa declared the resort “was eligible” for account data compromise recovery fines of $500,000, which had been taken from the resort’s JPMorgan Chase & Co. account, Hornberger says. Renaissance never explained why it took Visa nine months to declare the fine, he adds.
Welk Resorts viewed the money grab as unfair and sued on the basis of having no due process to discuss or object to the fines and no rules known to them to follow as part of a follow-up or hearing process related to the fines, Hornberger says.
California payments lawyer Paul Rianda tells ISO&Agent Weekly the Cisero’s case “shows other merchants that they can fight these types of fees and fines.”
In fact, the case brings into question the entire structure of fines for other issues, such as charge-backs, Rianda says.
“To the extent the merchant is successful, it could lead to class-action litigation on the issue of the enforceability of these types of fines and fees,” Rianda adds.
But Rianda says a high burden of proof falls on the merchant as to whether the contract itself is a problem.
“In most states the question is whether or not the contract is ‘unconscionable,’” Rianda notes. “Because this is a commercial setting, and not a consumer type of case, it is very hard to prove any of the provisions of the contract are unconscionable given the higher burden of proof in commercial cases.”
The contract issue aside, Cannon expects the case to reveal aspects of network processes that have not previously been clearly explained to merchants.
“You have to remember that the McCombs’ claim states they had no notion or indication of a problem,” Cannon says. “In fact, they had rarely heard of PCI compliance prior to hearing of the suspected breach.”
The case takes on more meaning because “we have to move the curtain” to show how the networks operate and to make sure networks and processors communicate more clearly with merchants, Cannon contends.
Edward Lawrence, an analyst and director at Auriemma Consulting Group, reminds all involved that merchants are in business and have to read contracts and abide by them.
“It is up to the merchant to ensure that proper procedures are in place to safeguard information, including the encryption of data, which they store on databases they utilize,” Lawrence says. “It’s a cost of doing business.”
Though the case ultimately could have some bearing on the process behind PCI fines, or the contracts that determine who should pay those fines, it should not entertain questions about whether the industry supports PCI directives, Lawrence says.
“I think that merchants have an obligation to the PCI system as a whole to abide by any rule which allows them to conduct business successfully,” Lawrence contends. “In this case, it is acceptance of credit cards. Whether the merchant is supportive of PCI is really not material.”
What is material and what is not will be up for a jury to decide in state district court in Summit County, Utah, where legal teams await word on a hearing date from Judge Keith Kelly.
“We’re seeking a jury trial on our counterclaims, and we’re planning to litigate it to the end,” Cannon says.
And the payments industry seems likely to keep a close watch every step of the way.