A Tennessee-based footwear and apparel company has filed a $13 million lawsuit against Visa for what it considers random, subjective penalties for being out of compliance with the Payment Card Industry (PCI) standard the credit card company regulates.
Last week Nashville-based Genesco, which operates 2,440 retail stores such as Journeys and Lids Locker Room throughout North America and Europe, sued Visa U.S.A. Inc., Visa Inc. and Visa International Service Association to recoup almost $13.3 million levied against them following a 2010 data breach.
Since 2006, retailers in particular, but virtually anyone who accepts Visa, MasterCard, American Express, Discover and other major and minor credit cards, have been required to comply with 12 major data security requirements outlined in the Payment Card Industry Data Security Standard (PCI DSS). A council run by the five major credit card companies is in charge of compliance, and the standards apply to any organization that stores, processes or transmits cardholder information. The standard was created in 2004 to improve controls around cardholder data for the purposes of reducing credit card fraud. Businesses were given two years to come into compliance.
Under the guidance issued by the PCI Security Standards Council (PCI SSC), a merchant is defined as “any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.” Such a broad definition includes everyone from retailers, restaurants and service stations to health care providers, educational institutions and even paper shredding companies. The level of assessment depends on how many credit card transactions are processed and if there’s a history of data breaches.
In 2010, Genesco was the victim of “a sophisticated cybercrime attack,” according to court papers available on Wired’s Web site, which was the first to report the lawsuit. Criminals installed a packet sniffer on Genesco’s networks to gather unencrypted card-swiped transactions during the authorization process. “Notwithstanding this circumstance, the PCI DSS not only does not prohibit, it actually expressly approved, unencrypted transmission of mag-stripe-swipe transaction approval data,” according to the court document.
Genesco claims thieves never accessed data stored within the company’s network, in part because Genesco rebooted its servers which overwrote any log files with sensitive cardholder data before hackers could accessed it. Nonetheless, Visa alerted all of its account holders who’d made a purchase at a Genesco store from Dec. 4, 2009 to Dec. 1, 2010 that their private data may have been compromised.
In May 2011, providers Fifth Third Financial and Wells Fargo, and in turn Genesco, were fined $13,298,900 for PCI DSS violations and expenses incurred over the breach and resulting fraudulent charges.
Both Visa and Mastercard fined the companies for a combined $15.6 million, but only Visa is named in the current lawsuit. In a January SEC filing, Genesco reported $2.1 million in legal and consulting fees related to the data breach.
Only one other related lawsuit has been reported in the United States, and that one involved a $90,000 legal dispute between a Utah restaurant chain and US Bank, which sued each other after the restaurant failed to secure its network and suffered a data breach that resulted in fraud and PCI penalties, according to Wired.