Chain Sues Visa For Breach Fines, May Actually Get Its Day In Court

Written by Frank Hayes
March 13th, 2013

Apparel chain Genesco (NYSE:GCO) has sued Visa (NYSE:V)—yes, Visa, not the acquiring banks—over the card brand’s $13 million in fines due to a 2010 breach. The 2,440-store retailer, which operates the Journeys, Lids and Johnston & Murphy stores, makes the usual arguments: Visa’s fines are illegal, Visa broke its own rules, Genesco didn’t violate any PCI DSS requirements. (Well, except PCI’s First Commandment: Thou shalt not get breached.)

What’s interesting here is why Genesco thinks it will get to sue Visa: A month before Visa notified the acquirers of the assessment, Genesco signed a separate agreement with one of the acquirers, Wells Fargo (NYSE:WFC), in which the bank actually signed over its right to sue Visa to Genesco.

If that argument holds up in front of a judge, Genesco may be the first retailer to take Visa to court over a breach assessment—and Wells Fargo may be the first acquirer to save the cost of getting sued by a breached retailer.

Genesco’s lawsuit, filed March 7 in U.S. District Court in Nashville, also fills in some of the details of the 2010 breach. At the time it was discovered—by the chain, not Visa—Genesco would only say it was “possible that the credit or debit card number, expiration date and card verification code contained on the magnetic stripe of some payment cards used at stores in the affected chains may have been acquired without authorization during the intrusion.”

In the lawsuit, Genesco says that the attackers tried to steal card data “by inserting into Genesco’s computer network malicious software (‘malware’) that employed ‘packet sniffer’ technology custom designed to acquire account data while the data was in transit through Genesco’s computer network on its way to Fifth Third or Wells Fargo for transaction approval. During the course of the Intrusion, the thieves did not target, nor did the thieves access, any stored payment card account information located on Genesco’s computer network” [emphasis in the complaint itself].

The chain argues that PCI expressly allows card data to be sent to acquirers unencrypted, so it shouldn’t have to pick up the tab for a PCI DSS violation, even though there was malware on its servers. Good luck with that argument, folks.

Genesco also claims Visa didn’t follow its own rules, counted some card numbers as compromised when forensic evidence showed that those numbers weren’t, and illegally used fines and assessments that are arbitrary and punitive. (Isn’t that the definition of a Visa fine?) Those arguments echo those of a breached Utah restaurant a year ago. That case is still in court.

What may be more convincing is the chain’s legal stratagem for not having to sue its acquiring banks. In April 2011—a few months after the breach was discovered but before Visa levied its $13,298,900.16 in assessments—the chain and Wells Fargo signed a “reserve agreement,” in which Genesco “acknowledged that it had an obligation to indemnify Wells Fargo for the amount of any such assessments, regardless of whether or not the assessment in question was valid under the [Visa International Operating Regulations] or under relevant applicable law.”

In exchange, Wells Fargo agreed that, once it had been reimbursed for any assessment, “Wells Fargo would be deemed to have assigned, transferred, and conveyed to Genesco any and all rights, claims or causes of actions that Wells Fargo may have against Visa to obtain reimbursement of any portion of such fine or assessment and that Genesco would be deemed to be fully subrogated to any and all such rights, claims or causes of actions.” Rough translation from the legalese: OK, Genesco, you get to sue them instead of me.

Normally, a chain can’t sue a card brand because, legally speaking, the chain never has dealings with the card brand. Visa fines Wells Fargo, which is then indemnified in its standard contract by the retailer. In theory, the acquirer could decide to swallow the assessment instead of passing it on or to even sue the card brand itself. (In an equally likely theory, card thieves might decide to turn themselves in and never use stolen card data. Sure, that’ll happen.)

If it holds up in court, that agreement will change those ground rules for Genesco and Visa—and probably just for Genesco and Visa, because Visa is likely drafting language for its acquirer’s agreement right now that will prevent any of them from signing away their rights in the future.

Still, for Genesco, it may turn out to be a sharp legal strategy for actually getting Visa into court. And when you’re out $13 million, a sharp legal strategy is good—but not getting breached is better. End-to-end encryption, anyone?


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.