In a first of its kind suit, on March 7, 2013, the sports-apparel retailer Genesco filed a lawsuit against Visa for recovery of fines that Visa issued against Genesco after it suffered a data breach. Generally, merchants are contractually required to be compliant with the payment card industry data security standard (PCI DSS) as well as the payment card brands’ specific operating rules and regulations in order to accept each brand’s payment cards. In the event of a data breach, a payment card brand may seek to recover funds for the incremental fraud incurred by the payment card brand, operational expenses (to cover costs such as card replacement), and fines for non-compliance with the PCI DSS.
After it suffered a packet sniffer data breach in 2010, Visa assessed Genesco a total of $13.3 million in fines. In its complaint, Genesco alleges that it was never out of compliance with the PCI DSS and, thus, should not be liable for the fines.
Given the prevalence of data breaches–and especially the high costs incurred by merchants when responding to, and cleaning up the aftermath from, a breach involving payment card information–merchants should pay close attention to this case. If Genesco ultimately prevails, the case could challenge the underpinnings of the payment card brands’ contracting and enforcement mechanisms.