Retailer hauls Visa to court over $13.3M fine for payment card data breach
Fine is illegal, unjustified and in violation of Visa's own policies, says Genesco
Genesco, a specialty retailer of footwear, sports apparel and related accessories, has sued Visa USA for $13.3 million in fines that were assessed against the company after a credit card data breach in 2010.
In a 49-page complaint filed in the U.S. District Court for the Middle District of Tennessee last week, the Nashville-based retailer claimed that Visa's fines were unjustified and unenforceable under the law.
Genesco's lawsuit is the first to challenge a credit card company on the issue of fines resulting from payment card data breaches.
Genesco, like every other entity that accepts credit and debit card payments, is required to comply with the Payment Card Industry Data Security Standards (PCI DSS), a set of controls put in place several years ago by Visa, designed to help companies bolster defenses against attacks designed to steal data.
Over the years, credit card companies have assessed hefty fines against merchants who suffered payment card data breaches, purportedly as a result of their failure to comply with PCI DSS requirements.
Genesco was one such company. In 2010, the retailer suffered an intrusion in which unknown attackers attempted to steal payment card information from its networks.
According to Genesco's complaint, the attackers installed packet-sniffing malware on the company's network in an apparent bid to grab unencrypted card data as it was being transmitted for approval to card-issuing banks. The malware was designed to capture the card data and transmit it back to the attackers periodically.
After the intrusion was discovered, Visa issued an alert to affected card issuers, informing them that every Visa card that was processed by Genesco over a one-year period between Dec. 2009 and Dec. 2010 had been compromised. Visa later collected a total of $13.29 million in fines from Wells Fargo Bank and Fifth Third Bank, the two "acquiring banks" that had authorized Genesco's participation in the Visa payment system.
Under PCI DSS rules, acquiring banks are contractually responsible for ensuring that any merchants they authorize for payment card transactions are fully compliant with PCI DSS requirements. They can be fined if one of their merchants gets breached as a result of a failure to comply with PCI. Acquiring banks typically pay the fines to the credit card companies, and later recover it from the merchant that suffered the breach.
In keeping with the practice, both Wells Fargo and Fifth Third collected from Genesco the amounts they had paid to Visa by way of fines.
In its lawsuit, Genesco claimed the fines were totally unjustified. It noted that Visa's own rules specify fines only in situations where a breach occurred because of a company's failure to comply with PCI. Even then, fines are applicable only if more than 10,000 cards are compromised. There also needs to be actual and demonstrable financial damage resulting from fraud or counterfeiting before a fine can be imposed.
None of these situations applied with the 2010 intrusion, Genesco said in its complaint. The company noted that it was fully compliant with PCI requirements at the time of the breach. As required under PCI, no card data was ever stored on Genesco's systems at any time during the intrusion.
The only card data that was potentially exposed was the unencrypted card data being transmitted for approval. Visa's own rules at the time did not require companies to encrypt such data while it was being transmitted, Genesco maintains.
The retailer also challenged Visa's assertion that all card data handled by the company over a one-year period was exposed in the intrusion. Genesco maintained that the servers handling the transactions were rebooted periodically. As a result, even if some card data had been stored in server log files they would have been erased each time the server rebooted. This would mean there was little chance that all cards that were handled by the company over a one-year period would have been exposed.
Importantly, Visa failed to show that either it or any card issuers suffered any actual damages from the breach, Genesco said. According to Genesco, the intrusion did not result in any fraudulent activity or financial losses remotely amounting to the fines charged by Visa for the intrusion.
The company has also challenged the legality of Visa's actions, noting that the fines amounted to an illegal penalty rather than a fine based on actual damages. "Visa does not even pretend that the non-compliance fines represent actual damages that Visa incurred," as result of Genesco's alleged failure to comply with PCI, the company said in its complaint.
Visa did not respond to a request for comment.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about data security in Computerworld's Data Security Topic Center.