Genesco, a specialty retailer of footwear, sports apparel and related accessories, has sued Visa USA for $13.3 million in fines that were assessed against the company after a credit card data breach in 2010.
In a 49-page complaint filed in the U.S. District Court for the Middle District of Tennessee last week, the Nashville-based retailer claimed that Visa's fines were unjustified and unenforceable under the law.
Genesco's lawsuit is the first to challenge a credit card company on the issue of fines resulting from payment card data breaches.
Genesco, like every other entity that accepts credit and debit card payments, is required to comply with the Payment Card Industry Data Security Standards (PCI DSS), a set of controls put in place several years ago by Visa, designed to help companies bolster defenses against attacks designed to steal data.
Over the years, credit card companies have assessed hefty fines against merchants who suffered payment card data breaches, purportedly as a result of their failure to comply with PCI DSS requirements.
Genesco was one such company. In 2010, the retailer suffered an intrusion in which unknown attackers attempted to steal payment card information from its networks.
According to Genesco's complaint, the attackers installed packet-sniffing malware on the company's network in an apparent bid to grab unencrypted card data as it was being transmitted for approval to card-issuing banks. The malware was designed to capture the card data and transmit it back to the attackers periodically.
After the intrusion was discovered, Visa issued an alert to affected card issuers, informing them that every Visa card that was processed by Genesco over a one-year period between Dec. 2009 and Dec. 2010 had been compromised. Visa later collected a total of $13.29 million in fines from Wells Fargo Bank and Fifth Third Bank, the two "acquiring banks" that had authorized Genesco's participation in the Visa payment system.
Under PCI DSS rules, acquiring banks are contractually responsible for ensuring that any merchants they authorize for payment card transactions are fully compliant with PCI DSS requirements. They can be fined if one of their merchants gets breached as a result of a failure to comply with PCI. Acquiring banks typically pay the fines to the credit card companies, and later recover it from the merchant that suffered the breach.
In keeping with the practice, both Wells Fargo and Fifth Third collected from Genesco the amounts they had paid to Visa by way of fines.
In its lawsuit, Genesco claimed the fines were totally unjustified. It noted that Visa's own rules specify fines only in situations where a breach occurred because of a company's failure to comply with PCI. Even then, fines are applicable only if more than 10,000 cards are compromised. There also needs to be actual and demonstrable financial damage resulting from fraud or counterfeiting before a fine can be imposed.
Sign up for CIO Asia eNewsletters.