A retailer suffering a data compromise in 2010 was ultimately responsible for $13.3 million in fines from Visa levied against two acquiring banks that passed the fines on to the retailer. The retailer is now suing Visa stating that at no point where they not in compliance with PCI and that the fines are arbitrary in this first and landmark case of a legal battle challenging a card association and enforcement of the PCI Data Security Standards.
Genesco, a publicly owned shoes and sports-apparel retailer in the United States, suffered a data compromise in 2010 when hackers installed packet sniffers affecting point-of-sale payment networks for some retail stores. The point at which hackers were intercepting information was while it was in transit from the retailer’s networks to the banks for approval. Although this data was unencrypted in transit, this is not prohibited for transaction approval data. The breach did not affect any stored credit card data, which does require encryption.
Genesco insists that they maintained compliance with the Payment Card Industry Data Security Standards (PCI-DSS) at all times relevant to the incident, and that banks are not supposed to be liable for a breach unless the merchant committed a PCI violation that allowed the theft to occur. Another stipulation for banks to be liable for a data breach are that 10,000 or more accounts must be compromised, and Genesco states that neither of these requirements were met, thus in levying the penalties Visa violated their own rules and procedures.
Visa first fined Genesco’s acquiring banks, Wells Fargo and Fifth Third Bank, $5,000 each about six months after the incident occurred. In the beginning of 2013 Visa levied large fines against each of the banks totaling $13.3 million, which were said to be operating expense and counterfeit card recovery assessments. Per agreements between the retailer and their acquiring banks, these fees were passed directly on to Genesco.
The lawsuit filed by Genesco in early March states that these fines are in violation of Visa’s contract “because at the time of intrusion and all other relevant times, Genesco was in compliance with the PCI-DSS requirements.” The suit goes on to state that the Non-Compliance Fines do not represent actual damages incurred by Visa related to the alleged failure of maintaining PCI compliance.
While there are many technical and legal details that will be fully investigated for this case, it does have the potential to set precedent with the enforcement of PCI standards, both in terms of what instances merchants or banks are found to be liable and in how the resulting fines are determined.
For more information: