It's a common story: a merchant suffers a payment data breach, the merchant's acquirer gets fined, and the acquirer passes along the fine to the merchant. Usually, life goes on.
But the owners of a small restaurant in Park City, Utah, are standing up to a large bank and card-processing company in a court of law, claiming funds were taken from them without their knowledge to cover fines for alleged Payment Card Industry data security compliance violations.
The payment industry is paying attention to the issues being brought before the court by Stephen and Theodora McComb, owners of Cisero's Ristorante and Nightclub, as they prepare to fight a lawsuit brought by Elavon Inc. and parent U.S. Bancorp in a Utah court. The restaurateurs are contesting the removal of $10,000 from their business account after a series of events led Visa Inc. and MasterCard Inc. to levy fines for PCI violations. The fines against the restaurant totaled $90,000 altogether. Cisero's refused to pay the remainder of those fines, prompting U.S. Bank and Elavon to file a lawsuit in 2010.
Because the McCombs claim Elavon took funds without telling them and that follow-up investigations did not prove a breach even occurred, the case figures to address key questions about merchant and processor relationships.
Under scrutiny will be the methods for proving whether a breach took place, how card brands determine how many cards are compromised and how they establish fine amounts, how a merchant is supposed to respond to a breach discovery, how a processor or issuing bank communicates contract particulars or changes, and whether the merchant-processor contract allows for removal of funds from a merchant account to cover fines without merchant consent.
The case figures to garner much attention, partly because Washington, D.C.-based Constantine Cannon LLP law firm will represent Cisero's. Partner Lloyd Constantine was the lead attorney in the so-called Wal-Mart merchant antitrust suit challenging the "honor-all cards" rules of Visa and MasterCard that resulted in the card brands settling with merchants for a combined $3.05 billion.
With that kind of legal firepower behind the restaurant, the case draws a lot more attention, which automatically "gives it a different feel," says merchant acquiring consultant Paul Martaus of Mountain Home, Ark.-based Martaus & Associates.
"The unique thing about this countersuit is that it is in the public eye, and many in the industry know about it," Martaus says. "Usually, cases similar to this are managed quietly and carefully."
The McCombs make a strong case against the processes that led to their $90,000 in fines, Martaus says.
"It is truly a David vs. Goliath type of thing," he says. "I'm not a lawyer, but I know the law doesn't necessarily provide a full level of justice, and this case is ripe for an explosive solution."
A ruling against the card processor and bank would bring into question the nature of the contracts signed with merchants. And it also could shed some new light on how card networks investigate suspected card breaches.
Cisero's lawyer Stephen Cannon says the case has several nuances, not the least of which centers on the breach investigations that the card networks approved, and the McCombs paid for, that they claim resulted in showing that no breach even took place.
Yet the card networks went ahead and fined Elavon, which in turn, and under contract protection, fined Cisero's, Cannon says. U.S. Bancorp declined to comment on the case.
The McCombs' lawsuit contends that, even though 8,000 cards in the Cisero's customer database potentially have been associated by the card networks with fraudulent card use, there is no proof the data were obtained through a breach on the restaurant's payment system; the breach could have occurred elsewhere, Cannon says.
"Many questions come up as to how Visa concluded how much card data was exposed, when the McCombs' findings are less than 8,000 cards, or less than the 10,000 card threshold Visa sets as its guideline for assessing fines," Cannon says.
Ultimately, the judge and jury will have to rule on where the liability falls in these cases, and that's generally not with the card networks, says Brian Riley, senior research director and analyst with Needham, Mass.-based TowerGroup.
"If this is a flaw in the software of the system that allowed unencrypted card data to be stored in the system, that's not the networks' problem," Riley says. "The law points to the merchants at the end of the day."
But that may not stop merchants from having their day in court.
Indeed, Los Angeles attorney Nicholas Hornberger says he handled a similar case in which his client sued Visa directly in San Diego. In that case, $500,000 was removed from an account at Welk Resorts of San Diego to cover breach fines, and Visa provided Welk Resorts with no recourse to state its PCI compliance or seek options to pay such a large fine. The case settled out of court, and Hornberger could not disclose details of that settlement.
The case centered on a June 2009 breach in which hackers were able to install malicious software in the Welk Resorts payment system because software provider Micros Corp. allegedly left a default password in the system that hackers uncovered, Hornberger says. Hackers obtained data from up to 1,400 cards before the resort owners could pinpoint the password problem, he adds.
After an investigation from a Visa-certified qualified incident response assessor, Visa and MasterCard issued initial fines totaling no more than $17,000. But New York-based processor Renaissance Associates came back nine months later, saying Visa declared the resort "was eligible" for account data compromise recovery fines of $500,000, which had been taken from the resort's JPMorgan Chase & Co. account, Hornberger says. Renaissance never explained why it took Visa nine months to declare the fine, he adds.
Welk Resorts viewed the money grab as an unfair process and sued on the basis of no due process to discuss or object to the fines and no rules known to them to follow as part of a follow-up or hearing process related to the fines, Hornberger says.
California payments lawyer Paul Rianda tells says the Cisero's case "shows other merchants that they can fight these types of fees and fines."
In fact, the case brings into question the entire structure of fines for other issues, such as charge-backs, Rianda says.
"To the extent the merchant is successful, it could lead to class-action litigation on the issue of the enforceability of these types of fines and fees," Rianda says.
But Rianda says a high burden of proof falls on the merchant as to whether the contract itself is a problem.
"In most states the question is whether or not the contract is 'unconscionable,'" Rianda says. "Because this is a commercial setting, and not a consumer type of case, it is very hard to prove any of the provisions of the contract are unconscionable given the higher burden of proof in commercial cases."
The contract issue aside, Cannon suspects the case to reveal aspects of network processes that have not previously been clearly explained to merchants.
"You have to remember that the McCombs' claim states they had no notion or indication of a problem," Cannon says. "In fact, they had rarely heard of PCI compliance prior to hearing of the suspected breach."
The case takes on more meaning because "we have to move the curtain" to show how the networks operate and to make sure networks and processors communicate more clearly with merchants, Cannon contends.
Edward Lawrence, an analyst and director at Auriemma Consulting Group, stresses that merchants are in business and have to read contracts and abide by them.
"It is up to the merchant to ensure that proper procedures are in place to safeguard information, including the encryption of data, which they store on databases they utilize," Lawrence says. "It's a cost of doing business."
Though the case ultimately could have some bearing on the process behind PCI fines, or the contracts that determine who should pay those fines, it should not entertain questions about whether the industry supports PCI directives, Lawrence says.
"I think that merchants have an obligation to the PCI system as a whole to abide by any rule which allows them to conduct business successfully," Lawrence says. "In this case, it is acceptance of credit cards. Whether the merchant is supportive of PCI is really not material."
What is material and what is not will be up for a jury to decide in state district court in Summit County, Utah, where legal teams await word on a hearing date from Judge Keith Kelly.
"We're seeking a jury trial on our counterclaims, and we're planning to litigate it to the end," Cannon says.
And those in the payments industry are likely to keep a close watch every step of the way.