Genesco's $13 million lawsuit against Visa Inc., filed last week in a Tennessee court, has a similar ring to it as a countersuit Cisero's Ristorante and Nightclub in Park City, Utah filed last year against its acquiring bank and processor.
At their cores, both legal battles question the system for levying fines in the wake of suspected breaches, while also questioning the effectiveness of the Payment Card Industry data security standards.
However, Genesco's suit is considered the first "known" case to directly challenge card companies over the self-regulated PCI standards, which provide guidance for banks and merchants to secure credit and debit card data.
The Cisero's case, on the other hand, involves the owners of the restaurant suing Elavon Inc. and US Bancorp for taking $10,000 out of the restaurant business account as a first step in covering $90,000 in fines that Visa and MasterCard imposed against the bank for a suspected breach at Cisero's.
The Cisero's lawsuit was filed in February of 2012, based on a 2008 alleged breach and Elavon taking money from the Cisero's account, but hearings on a motion to dismiss continue more than a year later, one taking place as recently as last week.
The Cisero's lawsuit questions how Visa tabulated the liability for the restaurant's alleged noncompliance at $1.33 million, yet set the fine at $55,000. MasterCard, meanwhile, established its fine at $15,000. After more card issuers came forward citing losses, the card networks boosted the fines to the $90,000 figure.
Such adjustment of fine amounts indicates how arbitrary the system is, says lawyer Steve Cannon, of Washington, D.C.-based Constantine Cannon LLP law firm. Cannon represents Cisero's owners, Stephen and Theodora McComb, in the case.
Lawyers for neither Visa nor Genesco could be reached for comment. Elavon did not respond to a request for comment.
Even though breach-related fines seem capricious and complaints against them will likely get louder, the fines and their nature serve an important purpose, says merchant acquirer consultant and industry researcher Paul Martaus, of Mountain Home, Ark.-based Martaus & Associates.
"The fines are ugly and they don't make sense on the surface, but the branded cards have the responsibility of assuring the consuming public that using plastic cards is safe," Martaus says. "Without a self-policing mechanism like PCI, it would be easy for the card-using public to just say this isn't a safe way to pay."
Because each case is different, it is easy to take a view that card brands can "manipulate the fines," Martaus says. However, when card brands fine the merchant bank, the amount of the fine "can mushroom and expand" because they are often based on "a vast range of issuing banks that were injured in the process," he adds.
Still, the process comes across as very arbitrary and merchants have every right to question the process, Martaus says.
The Genesco case revolves around $13 million that was seized from Genesco's merchant bank accounts this year by Wells Fargo and Fifth Third Financial — two companies involved in processing bank card transactions from Genesco stores — after Visa fined the banks over the breach of Genesco's network that occurred in 2010.
In its claim against Visa, Genesco contends that security software on its network never provided evidence that the hackers actually stole card data, yet Visa levied its fines against the banks anyway to recover costs of fraudulent charges made to accounts.
"The Genesco case is making essentially the same claim [as Cisero's], that all of the fees or fines are an unenforceable penalty under the law," Cannon says. "The main difference is that Genesco is not going to sue their acquirers, they are going straight to Visa."
As the number of data breaches being made public continues to mount, the card brands and PCI fines are likely to come under heavier fire in the future, says Paul Rianda, a payments industry lawyer based in Irvine, Calif.
"In looking at the policies on the Visa website for reporting a compromise, it appears the fines are very arbitrary," Rianda says.
If a merchant or bank does not report [what is believed to be a breach], they could get a $1,000 fine, but the fines could eventually mount to $500,000, Rianda says.
"The punishment doesn't seem to fit the crime, but mostly it's more of a question of how do you know what you'll be fined?" Rianda asks.