Merchants are facing consumer lawsuits stemming from the introduction of EMV-chip card security at the point of sale in the U.S., exposing the issues many stores must contend with now that they are held liable for fraud and chargebacks.
In February, a Wendy’s customer filed a class action against the fast food chain, alleging that it failed to protect customers’ credit and debit card information, as well as other personally identifiable information. The suit claims all of that information was exposed when Wendy’s experienced a data breach in January, and that Wendy’s failed to take “adequate and reasonable measures” to make sure that its data systems were protected beforehand.
Although the lawsuit does not specifically reference EMV, it does allege that Wendy’s was not using the most up-to-date processing equipment. The suit suggests that hackers employed the same malware that enabled recent cyber attacks such as the breaches at Home Depot and Target.
“While many retailers, banks and card companies have responded to these recent breaches by adopting technology and security practices that help [make] transactions and stored data more secure, Wendy’s has acknowledged that it did not do so,” the suit states.
Lawsuits are not the only consequence merchants face. Typically if a merchant suffers a data breach, it can expect fines for violating the Payment Card Industry data security standard, which describes how organizations must protect cardholder data.
There may also be a reputational hit and a loss of business. eBay faced this issue after a 2014 cyberattack led it to ask users to reset their passwords; many consumers did not, and even those that chose a new password did not resume their previous level of activity. The breach became a major factor in eBay's decision to lower its full-year revenue guidance by $200 million.
But consumer lawsuits are a new risk, experts say.
"We are not aware of any consumers suing merchants after the merchant's point of sale system was hacked," said Paul Hunter, president and CEO of Tampa-based processor Sterling Payment Technologies.
Attorney Stephen Aschettino, chairman of the payment team at Foley & Lardner LLP, says that although the Wendy’s case is noteworthy, it’s not necessarily the “test pilot” case the industry has been watching out for because no one is placing chargeback liability on the retailer.
“I think they’re just trying to show that Wendy’s failure to use the EMV chip is some form of negligence,” Aschettino says. “If my analysis is correct, I think that’s very different than the liability shift issue that we in the industry are very worried about.”
Aschettino says he’s still waiting to see the type of lawsuit in which a credit card company denies a customer’s chargeback, and then the customer goes after the merchant for damages.
A closer example, he says, is a lawsuit filed in March by B&R Supermarket against most of the major card networks and issuers — including Visa, MasterCard, American Express and Wells Fargo —claiming thousands of dollars in losses because of the EMV shift. B&R owns Milam’s Market and Grove Liquors in Florida and claims it bought all-new equipment for its stores well in advance of the liability shift but never received EMV certification from the card networks. As a result, B&R was held liable for $10,000 in charges in four and a half months because of fraud, chargebacks and fees.
Aschettino says it’s likely that the supermarket chain isn’t alone in its predicament.
“Depending on the magnitude of the chargebacks and resources of the merchants, some merchants may be willing to challenge those rules,” he says. “I do foresee there will be more litigation going forward on these issues.”
Vulnerable merchants, savvy consumers
The potential for future lawsuits stems from the fact that many merchants have taken steps to purchase new EMV equipment and train their employees how to use the system, but are still stuck having to use the old magstripe systems because they’re still waiting for certification from the card networks.
“The whole thing is resulting in merchants facing losses that they wouldn’t have to pay otherwise. I don’t know where the inherent fairness is in that,” said Irvine, Calif.-based attorney Paul Rianda, who specializes in the bankcard industry.
Hunter predicts it will take about two years for most of the certifications to be complete. “Merchants have had a difficult, if not impossible time, being ready in time for the liability shift,” he says. “And we are seeing a rapid increase in consumers purposefully charging back transactions when they see a merchant not utilizing EMV technology in a card present environment.”
Sal DiDonato, CEO of Red Bank, N.J., merchant services provider Priority Payments Local, says although it’s unclear whether more lawsuits will surface, he’s noticed an increasing number of cardholders are savvy about EMV requirements. “More and more consumers are becoming aware of the liability shift and trying to take advantage when they see fit,” he says.
That’s not to say that filing these lawsuits will be easy.
Rianda says ISOs and merchants have consulted with him about problems they’ve had with EMV, but that lawsuits can be difficult to bring against the parties empowered to make changes.
“Other than suing your processor, what else are you going to do?” he asks. “Usually the amounts are so small that unless you do a class-action suit, there’s not a whole lot you can do for them.”
As far as consumer-led lawsuits like the Wendy’s case go, merchants are in a compromising position from allegation that they failed to protect consumers' information from a data breach. Ever since the 2007 TJ Maxx data breach, concerns have mounted about hackers pulling off data theft on a large scale, and those kinds of attacks can be damaging to a retailer’s reputation, said Rick Oglesby, partner with Centennial, Colo., industry consulting firm Double Diamond Group.
“Regardless of what happens with this particular suit, anything that’s consumer-driven is going to impact the brand,” Oglesby says. “And whether they win or lose, merchants don’t want any part of this kind of suit at all.”
Aschettino cautions that banks, merchants and anyone else who could be implicated in these types of lawsuits need to have a well thought-out position ahead of time, and to implement strategies to make sure that these suits don’t fuel the creation of laws that are hostile to the industry.
“The whole EMV shift paradigm was designed to protect consumers,” he says. “If the failure to adopt it can somehow be used as a sword by the plaintiffs against merchants, I don’t believe that was the intent.”