A small restaurant in Park City, Utah, figures to play a big role in determining how card networks prove suspected card data security breaches and whether card processors rightfully can deduct funds from merchant accounts–without telling the merchants–to cover their own network fines for breaches allegedly stemming from a client failing to comply with Payment Card Industry data-security standards.
Owners of Cisero’s Ristorante and Nightclub filed a countersuit in September charging their former payment processors, Elavon Inc. and parent U.S. Bank National Association, with removing $10,000 from the restaurant business account without “proper notice and the opportunity to contest false assumptions” to cover a portion of PCI fines related to an alleged card-data breach at the restaurant.
Stephen and Theodora McComb, the restaurant owners, were told investigations revealed their point-of-sale terminal stored unencrypted credit card data in violation of PCI standards. The McCombs contend in their lawsuit that their separate investigations revealed no evidence of a breach, but the core of their lawsuit questions whether Elavon and U.S. Bank could contractually deduct funds from the restaurant account without their permission.
The McCombs filed the lawsuit in state district court in Summit County, Utah, where Judge Keith Kelly will hear the case. No hearing date has been set.
The judge has not been in contact with the Washington, D.C.-based Constantine Cannon LLP law firm representing Cisero’s Inc., lawyer Stephen Cannon tells ISO&Agent Weekly.
(Partner Lloyd Constantine was the lead attorney in the so-called Walmart merchant antitrust suit challenging the “honor-all cards” rules of Visa Inc. and MasterCard Worldwide that resulted in the card brands settling and paying merchants $3.05 billion.)
Lawyers for Elavon and U.S. Bank have not indicated any sort of settlement could be forthcoming, Cannon says. “At this point, we’re litigating it, period,” Cannon adds.
The lawsuit represents a new chapter in a four-year conflict between the restaurant and its former card processors. Visa notified U.S. Bank in March 2008 that improper handling of card data at the restaurant led to a breach that exposed more than 8,000 debit and credit card accounts. Visa and MasterCard pointed to Cisero’s as the common link among all the fraudulently used accounts.
When MasterCard and Visa fined U.S. Bank, claiming Cisero’s violated PCI standards by storing unencrypted card data on its point-of-sale system, Elavon turned around in May 2010 and sued Cisero’s for fines and fees totaling $90,000.
In the suit Cisero’s questions how Visa tabulated the liability for the restaurant’s alleged noncompliance at $1.33 million, yet set the fine at $55,000. MasterCard, meanwhile, established its fine at $15,000. After more card issuers came forward citing losses, the card networks boosted the fines to the $90,000 figure.
PCI guidelines allow card brands to fine banks and card processors, but not merchants and retailers. However, banks and card processors enter separate agreements with merchants that generally shift the liability for paying fines to those clients.
Under PCI rules, Cisero’s was obligated to hire two firms to conduct investigations, and neither produced evidence of a breach, Cannon says.
Ultimately, the Cisero’s lawsuit expresses the McCombs’ belief that merchants are forced to sign contracts that favor the bank and the payment card industry through the PCI compliance measures, Cannon adds.
The lawsuit states that, instead of notifying the McCombs of the fines and offering an opportunity to dispute the claims from Visa and MasterCard, the bank and the card processor “helped themselves” to about $10,000 from the McCombs’ U.S. Bank account.
Shortly after realizing what had happened, the McCombs refused to pay the remainder of the fines and closed the bank account before U.S. Bank could withdraw more funds.
The plaintiffs contend in the lawsuit that the contracts can change without notice and allow random fines on merchants with no mechanism for providing proof of a breach or monetary loss. In addition, the plaintiffs claims merchants are not allowed a hearing or procedure with the networks, processors or banks to dispute breach claims before having funds seized.
Industry observers likely will keep a close watch on the case, in part, because a countersuit from a merchant is rare. More importantly, a court ruling U.S. Bank’s indemnification illegal ultimately could change how acquirers and processors and their merchant clients structure contracts establishing response and liability after card breaches.