Genesco Inc., a Tennessee-based shoe retailer, is taking Visa to court in what is being reported as the first case challenging fines and penalties levied by the Payment Card Industry Data Security Standard (PCI DSS) under which Genesco was fined $13.3 million.

In late 2010, attackers compromised computer systems belonging to Genesco, the operator of 2,440 Lids, Journey, and other retail locations in the U.S. and abroad. During the attacks, hackers installed packet inspection software on a number of company owned machines. Depending on the specific machines infected, such spyware could potentially expose a wide range of sensitive information. The concern here, of course, revolves around whether or not the attacks exposed credit card details. The data breach fine seems to indicate that Visa believes that payment information was compromised in the breach. Genesco, however, said it performed a forensic investigation of its networks and found no evidence that financial information was stolen.

In a complaint filed to a U.S. District Court in Tennessee, Genesco argues that Visa not only wrongfully imposed and collected $13.3 million non-compliance fees but also breached its contracts with the banks and broke the law by issuing fines that violated the Visa International Operating Regulations (VIOR).

The way these PCI DSS non-compliance fines work, according to Wired, is that the payment companies levy fines against the banks, in this case Wells Fargo and a bank called Fifth Third Financial. The reason for this, again according to Wired, is that the banks are less likely to push back on the fines issued by the payment card companies than the individual merchants are. So the payment card issuers fine the banks and the banks either remove the money from accused offenders’ accounts or sue them for the balance. Either way, the card companies get their money while the banks and the merchants are left to fight it out.

PCI DSS is a set of 12 overarching security requirements established by Visa and the other big credit card companies and imposed upon any merchant or related business that transmits or handles payment card information. It is intended to protect payment card account data such as card numbers, expiration dates, and verification codes from electronic theft.

Genesco claims that the attackers targeted and compromised card holder data as it was transmitted unencrypted from Genesco to Wells Fargo and Third Fifth banks.

After the breach occurred, Visa issued a compromise account management systems (CAMS) alert that listed every card that passed through Genesco’s systems between December 2009 and December 2010, presumably the period of time in which Genesco’s systems remained compromised. Genesco’s complaint notes that its forensic examination produced no evidence that any of these cards were actually compromised during the intrusion, and, beyond that, Genesco’s analysis actually showed that some of the cards listed in the CAMS alert were definitively not exposed in the Genesco intrusion.

In other words, Genesco admits a breach took place, but, according to the complaint, can only prove with certainty that specified cards were not compromised in the intrusion. Beyond that they claim there is no evidence to support that cardholder information was exposed. Genesco therefore believes that Visa is interpreting the VIOR in order to punish Genesco for a breach in which cardholder data may have been exposed when the spirit and intent of the rule is to punish vendors for breaches that definitely exposed cardholder data.

Visa did not respond to a request for comment.

Visa image via Images_of_Money‘s Flickr photostream, Creative Commons.

Categories: Cryptography, Malware