Data-Breach Case Could Have 'Explosive Solution' for Card Issuers
Heun, David, American Banker
Byline: David Heun
It's a common story: a merchant suffers a payment data breach, the merchant's acquirer gets fined, and the acquirer passes along the fine to the merchant. Usually, life goes on.
But the owners of a small restaurant in Park City, Utah, are standing up to a large bank and card-processing company in a court of law, claiming funds were taken from them without their knowledge to cover fines for alleged Payment Card Industry data security compliance violations.
The payment industry is paying attention to the issues being brought before the court by Stephen and Theodora McComb, owners of Cisero's Ristorante and Nightclub, as they prepare to fight a lawsuit brought by Elavon Inc. and parent U.S. Bancorp in a Utah court. The restaurateurs are contesting the removal of $10,000 from their business account after a series of events led Visa Inc. and MasterCard Inc. to levy fines for PCI violations. The fines against the restaurant totaled $90,000 altogether. Cisero's refused to pay the remainder of those fines, prompting U.S. Bank and Elavon to file a lawsuit in 2010.
Because the McCombs claim Elavon took funds without telling them and that follow-up investigations did not prove a breach even occurred, the case figures to address key questions about merchant and processor relationships.
Under scrutiny will be the methods for proving whether a breach took place, how card brands determine how many cards are compromised and how they establish fine amounts, how a merchant is supposed to respond to a breach discovery, how a processor or issuing bank communicates contract particulars or changes, and whether the merchant-processor contract allows for removal of funds from a merchant account to cover fines without merchant consent.
The case figures to garner much attention, partly because Washington, D.C.-based Constantine Cannon LLP law firm will represent Cisero's. Partner Lloyd Constantine was the lead attorney in the so-called Wal-Mart merchant antitrust suit challenging the "honor-all cards" rules of Visa and MasterCard that resulted in the card brands settling with merchants for a combined $3.05 billion.
With that kind of legal firepower behind the restaurant, the case draws a lot more attention, which automatically "gives it a different feel," says merchant acquiring consultant Paul Martaus of Mountain Home, Ark.-based Martaus & Associates.
"The unique thing about this countersuit is that it is in the public eye, and many in the industry know about it," Martaus says. "Usually, cases similar to this are managed quietly and carefully."
The McCombs make a strong case against the processes that led to their $90,000 in fines, Martaus says.
"It is truly a David vs. Goliath type of thing," he says. "I'm not a lawyer, but I know the law doesn't necessarily provide a full level of justice, and this case is ripe for an explosive solution."
A ruling against the card processor and bank would bring into question the nature of the contracts signed with merchants. And it also could shed some new light on how card networks investigate suspected card breaches.
Cisero's lawyer Stephen Cannon says the case has several nuances, not the least of which centers on the breach investigations that the card networks approved, and the McCombs paid for, that they claim resulted in showing that no breach even took place.
Yet the card networks went ahead and fined Elavon, which in turn, and under contract protection, fined Cisero's, Cannon says. U.S. Bancorp declined to comment on the case.
The McCombs' lawsuit contends that, even though 8,000 cards in the Cisero's customer database potentially have been associated by the card networks with fraudulent card use, there is no proof the data were obtained through a breach on the restaurant's payment system; the breach could have occurred elsewhere, Cannon says. …