This is page 2 of:

Visa To Genesco: PCI Compliance? What PCI Compliance?

May 31st, 2013

PCI QSAs can disagree among themselves, and when a retailer changes QSA firms, different interpretations often materialize. Therefore, after a breach has happened, it’s easy to reinvestigate and to find something that could be interpreted differently. And then, presto, non-compliance.

Visa has proudly proclaimed—repeatedly—that no PCI-compliant retailer has ever been breached. That’s true, but it’s because every time a compliant retailer has been breached, Visa has them re-evaluated and suddenly finds that they hadn’t really been compliant after all. George Orwell would have been proud.

Back to Visa’s filing for dismissal. Visa gets precise about the pecking order: “Nor does Genesco allege that Visa’s contractual right to collect the assessments from the Acquiring Banks was contingent on Genesco agreeing to reimburse or indemnify the Acquiring Banks. In addition, Genesco does not allege that Visa directed, or even encouraged, the Acquiring Banks to seek reimbursement or indemnification from Genesco pursuant to the banks’ separate contracts with Genesco.” Yeah, I’m sure that those banks had to have their arms twisted to seek reimbursement from a retailer.

“Genesco’s allegation is simply that Genesco’s separately negotiated contracts with Acquiring Banks resulted in Genesco having an indemnity obligation to the Acquiring Banks for the banks’ contractual obligations to Visa. Genesco’s contract-based claims are factually and legally flawed, but they will be challenged at a later time and not on this motion.”

Visa also got into the issue of whether it had engaged in fraudulent conduct—given that it’s a card brand, the filing meant that it had engaged in more fraudulent conduct than usual.

“Genesco fails to allege that Visa made any statements or representations that were allegedly fraudulent. Its sole, conclusory assertion of fraudulent conduct is the allegation that ‘Visa misrepresented to the Acquiring Banks that [the disputed] amounts were due and owing to Visa under the VIOR and applicable law.’ This allegation is no more than a thinly veiled claim that Visa breached its contracts with the Acquiring Banks in making the assessments. Even if accepted as true for purposes of this motion, the allegation does not establish any likelihood of consumer or public deception. Nor does Genesco even allege that it relied on the alleged misrepresentation. For these additional reasons, Genesco’s Complaint fails to state a claim under the ‘fraudulent’ prong of the (California Unfair Competition Law). Genesco does not allege facts demonstrating that it was inequitable for Visa to apply the relevant contractual procedures for collecting money from the Acquiring Banks to partially reimburse issuing banks for losses they suffered as a result of account data-security deficiencies at Genesco.”


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.