NASHVILLE, Tenn. A region-wide department chain filed suit against Visa challenging the payment card industry standards under which the merchant was fined $13 million for a 2010 data breach.
Genesco, which operates 2,440 the Journeys, Lids and Johnston & Murphy, stores says that the penalties imposed by Visa for alleged PCI security standards failings were not authorized under the card giant's own rules and breached its own contracts with acquiring banks.
The sports apparel retailer is fighting back against what it calls the arbitrary multi-million-dollar penalties that credit card companies impose on banks and merchants for data breaches by filing the first suit challenging the PCI rules.
In 2010 hackers hit Genesco's systems, installing "packet sniffing" software designed to steal payment card details. However, the firm says in its complaint that it found no evidence that account data was stolen.
Despite this, Visa fined the retailer's acquiring banks Fifth Third Bank and Wells Fargo $5,000 each and levied another $13.3 million to cover operating expenses and fraudulent charges made to the accounts. The banks then took the money from Genesco's accounts.
The retailer says that it did not violate PCI rules. It maintains that the "packet sniffing" software in its systems was designed to taking advantage of a PCI DSS protocol feature which means that the account data needed to approve a mag-stripe transaction can be transmitted unencrypted.
The PCI rules were created by Visa and MasterCard as industry standard and authorized the card companies to levy fines for noncompliance by merchants to ensure adherence to data protection rules.
PCI standards require businesses accepting credit and debit card payments to implement a series of technological steps to secure card data. When a breach occurs, the card companies collect their fines from the third-party banks that process the card transactions, instead of the merchants, who have more incentive to fight the fines. Third-party banks then simply collect the money from the customer’s account or sue them for uncollected balances, using the indemnification clauses in their contracts to justify it.
The suit, filed in the U.S. District Court for the Middle District of Tennessee, says that Visa levied the penalties despite the fact that several of its own requirements - including that there was a PCI violation that enabled the theft and that details of at least 10,000 accounts were stolen - were not met.
