None of these situations applied with the 2010 intrusion, Genesco said in its complaint. The company noted that it was fully compliant with PCI requirements at the time of the breach. As required under PCI, no card data was ever stored on Genesco's systems at any time during the intrusion.
The only card data that was potentially exposed was the unencrypted card data being transmitted for approval. Visa's own rules at the time did not require companies to encrypt such data while it was being transmitted, Genesco maintains.
The retailer also challenged Visa's assertion that all card data handled by the company over a one-year period was exposed in the intrusion. Genesco maintained that the servers handling the transactions were rebooted periodically. As a result, even if some card data had been stored in server log files they would have been erased each time the server rebooted. This would mean there was little chance that all cards that were handled by the company over a one-year period would have been exposed.
Importantly, Visa failed to show that either it or any card issuers suffered any actual damages from the breach, Genesco said. According to Genesco, the intrusion did not result in any fraudulent activity or financial losses remotely amounting to the fines charged by Visa for the intrusion.
The company has also challenged the legality of Visa's actions, noting that the fines amounted to an illegal penalty rather than a fine based on actual damages. "Visa does not even pretend that the non-compliance fines represent actual damages that Visa incurred," as result of Genesco's alleged failure to comply with PCI, the company said in its complaint.
Visa did not respond to a request for comment.
Sign up for CIO Asia eNewsletters.