Hacked retailers up in arms over $13 million 'fine', Visa lands up in court

Visa is being hit with a lawsuit after retailers decided to fight penalties imposed by credit card companies for data breaches.
Written by Charlie Osborne, Contributing Writer
Credit: CNET

Multi-million dollar business Visa is being taken to court by retailers who are less than happy with the imposition of penalties after being victims of cyberattacks.

Visa is being accused of "punishing" retailers and merchants who find themselves scrabbling to contain data breaches and repair systems compromized as hacking targets. The lawsuit, filed last week in Tennessee by Genesco and first reported by Wired, means that the sports retailer is one of the first to file such a complaint against a money processing system. The lawsuit is centered on self-regulated PCI security standards, which require networks that cope with financial transactions to take particular steps to secure such data -- and if these are not met, result in stringent penalties.

The court documents (.pdf) state that Genesco protests the fines imposed by Visa of $13,298,900 as the parent company of over 2,400 stores in America and Europe considers the fines "wrongfully imposed and collected."

At the end of 2010, Genesco admitted its systems had been breached, stating that the system which copes with payment processing was "hacked," and that the details of particular cards may have been compromised. In addition, the retailer stated that immediate action had been taken to contain the threat, which had come only days after MasterCard and Visa were hit with cyberattacks in relation to preventing donations to whistleblower website Wikileaks.

Both Visa and Mastercard went after Genesco and its connected merchant banks, which resulted in overall fees of over $15 million centered around the idea that the companies were non-compliant with Payment Card Industry (PCI) standards to allow such breaches to take place.

Packet-sniffing software was found on Genesco's network but no evidence was ever discovered to suggest credit card details of individual customers were stolen. However, the fines imposed were not only for noncompliance, but also operating expenses and to cover "the cost of fraudulent charges made to the accounts," according to Wired.

Genesco maintains within the filing that it did not breach PCI standards, which in this case, relate to the storing of card data without ensuring proper safety measures are in place. In addition, the firm says that as servers are continually rebooted and overwritten, the company "did not even suffer a possible theft of cardholder data with respect to many of the accounts cited by Visa" within its original penalty.

The documents also point out that merchant banks are not meant to be liable for the recovery of fraudulent transactions unless an "account compromise event" results in the theft of at least 10,000 accounts, and the level of fraud is more than usually accounted for with Visa card use.

Due to this, Genesco's bid to take Visa to court in the landmark case alleges that Visa has broken its own self-regulatory rules by imposing such fines under Californian law. We are yet to see whether Mastercard will be next to have a court summons relating to cyberattacks left on its doorstep.

Editorial standards