At first glance, it comes across as a potential no-win situation.

How can owners of a small restaurant in Park City, Utah, stand up to a large bank and card-processing company in a court of law, claiming funds were taken from them without their knowledge to cover fines for alleged Payment Card Industry data security compliance violations?

Industry analysts contemplate that scenario while Stephen and Theodora McComb, owners of Cisero’s Ristorante and Nightclub, prepare to face Elavon Inc. and parent U.S. Bancorp in a Utah court to contest the removal of $10,000 from their business account after a series of events led Visa Inc. and MasterCard Worldwide to levy fines for PCI noncompliance in the wake of an alleged data breach (see story).

The twists and turns leading to Elavon suing Cisero’s Inc. to cover fines levied against Elavon because of the discovery of hackers allegedly obtaining unencrypted credit card data stored in the restaurant’s payment system brings an array of issues to light.

Because the McCombs claim Elavon took funds without telling them and that follow-up investigations did not prove a breach even occurred, the case figures to address key questions about merchant and processor relationships.

Under scrutiny will be the methods for proving whether a breach took place, how card brands determine how many cards are compromised and how they establish fine amounts, how a merchant is supposed to respond to a breach discovery, how a processor or issuing bank communicates contract particulars or changes, and whether the merchant-processor contract allows for removal of funds from a merchant account to cover fines without merchant consent.

The case figures to garner much attention, partly because Washington, D.C.-based Constantine Cannon LLP law firm will represent Cisero’s. Partner Lloyd Constantine was the lead attorney in the so-called Wal-Mart merchant antitrust suit challenging the “honor-all cards” rules of Visa Inc. and MasterCard Worldwide that resulted in the card brands settling with merchants for a combined $3.05 billion.

With that kind of legal firepower behind the restaurant, the case gets thrown into the public eye, which automatically “gives it a different feel,” merchant acquiring consultant Paul Martaus of Mountain Home, Ark.-based Martaus & Associates tells PaymentsSource.

“The unique thing about this countersuit is that it is in the public eye, and many in the industry know about it,” Martaus says. “Usually, cases similar to this are managed quietly and carefully.”

The McCombs make a strong case against the processes that led to their $90,000 in fines, Martaus says. “It is truly a David vs. Goliath type of thing,” he adds. “I’m not a lawyer, but I know the law doesn’t necessarily provide a full level of justice, and this case is ripe for an explosive solution.”

Such an outcome likely would involve a ruling against the card processor and bank, bringing into question the contracts signed with merchants. And it also could shed some new light on how card networks investigate suspected card breaches.

Cisero’s lawyer Stephen Cannon says the case has several nuances, not the least of which centers on the breach investigations that the card networks approved, and the McCombs paid for, that they claim resulted in showing that no breach even took place.

Yet the card networks went ahead and fined Elavon, which in turn, and under contract protection, fined Cisero’s, Cannon tells PaymentsSource. U.S. Bancorp declined to comment on the case.

“Many questions come up as to how Visa concluded how much card data was exposed, when the McCombs’ findings are less than 8,000 cards, or less than the 10,000 card threshold Visa sets as its guideline for assessing fines,” Cannon says.

Still, the McCombs’ lawsuit contends that, even though 8,000 cards in the Cisero’s customer database potentially have been associated by the card networks with fraudulent card use, there is no proof the data were obtained through a breach on the restaurant’s payment system; the breach could have occurred elsewhere, Cannon contends.

Ultimately, the judge and jury will have to rule on where the liability falls in these cases, and that’s generally not with the card networks, Brian Riley, senior research director and analyst with Needham, Mass.-based TowerGroup, tells PaymentsSource.

“If this is a flaw in the software of the system that allowed unencrypted card data to be stored in the system, that’s not the networks’ problem,” Riley says. “The law points to the merchants at the end of the day.”

But that may not stop merchants from having their day in court.

Indeed, Los Angeles attorney Nicholas Hornberger says he handled a similar case in which his client sued Visa directly in San Diego. In that case, $500,000 was removed from an account at Welk Resorts of San Diego to cover breach fines, and Visa provided Welk Resorts with no recourse to state its PCI compliance or seek options to pay such a large fine. The case settled out of court, and Hornberger could not disclose details of that settlement.

The case centered on a June 2009 breach in which hackers were able to install malicious software in the Welk Resorts payment system because software provider Micros Corp. allegedly left a default password in the system that hackers uncovered, Hornberger says. Hackers obtained data from up to 1,400 cards before the resort owners could pinpoint the password problem, he adds.

After an investigation from a Visa-certified qualified incident response assessor, Visa and MasterCard issued initial fines totaling no more than $17,000. But New York-based processor Renaissance Associates came back nine months later, saying Visa declared the resort “was eligible” for account data compromise recovery fines of $500,000, which had been taken from the resort’s JPMorgan Chase & Co. account, Hornberger explains. Renaissance never explained why it took Visa nine months to declare the fine, he adds.

Welk Resorts viewed the money grab as an unfair process and sued on the basis of no due process to discuss or object to the fines and no rules known to them to follow as part of a follow-up or hearing process related to the fines, Hornberger says.

California payments lawyer Paul Rianda tells PaymentsSource the Cisero’s case “shows other merchants that they can fight these types of fees and fines.”

In fact, the case brings into question the entire structure of fines for other issues, such as charge-backs, Rianda says.

“To the extent the merchant is successful, it could lead to class-action litigation on the issue of the enforceability of these types of fines and fees,” Rianda adds.

But Rianda says a high burden of proof falls on the merchant as to whether the contract itself is a problem.

“In most states the question is whether or not the contract is ‘unconscionable,’” Rianda notes. “Because this is a commercial setting, and not a consumer type of case, it is very hard to prove any of the provisions of the contract are unconscionable given the higher burden of proof in commercial cases.”

The contract issue aside, Cannon suspects the case to reveal aspects of network processes that have not previously been clearly explained to merchants.

“You have to remember that the McCombs’ claim states they had no notion or indication of a problem,” Cannon says. “In fact, they had rarely heard of PCI compliance prior to hearing of the suspected breach.”

The case takes on more meaning because “we have to move the curtain” to show how the networks operate and to make sure networks and processors communicate more clearly with merchants, Cannon contends.

Edward Lawrence, an analyst and director at Auriemma Consulting Group, reminds all involved that merchants are in business and have to read contracts and abide by them.

“It is up to the merchant to ensure that proper procedures are in place to safeguard information, including the encryption of data, which they store on databases they utilize,” Lawrence says. “It’s a cost of doing business.”

Though the case ultimately could have some bearing on the process behind PCI fines, or the contracts that determine who should pay those fines, it should not entertain questions about whether the industry supports PCI directives, Lawrence says.

“I think that merchants have an obligation to the PCI system as a whole to abide by any rule which allows them to conduct business successfully,” Lawrence contends. “In this case, it is acceptance of credit cards. Whether the merchant is supportive of PCI is really not material.”

What is material and what is not will be up for a jury to decide in state district court in Summit County, Utah, where legal teams await word on a hearing date from Judge Keith Kelly.

“We’re seeking a jury trial on our counterclaims, and we’re planning to litigate it to the end,” Cannon says.

And those in the payments industry are likely to keep a close watch every step of the way.

What do you think about this? Send us your feedback. Click Here.


Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry