Shoe Retailer Sues Visa for $13 Million over PCI Fines
March 14, 2013
Genesco, a footwear retailer and parent company of brands Johnston & Murphy, Journeys and Lids, has filed suit against Visa in a Tennessee federal court for the return of more than $13 million the company paid in fines after a 2010 data breach. Nashville, Tenn.-based Genesco said in its complaint, filed a week ago, that the fines Visa “wrongfully imposed” on Genesco’s acquiring banks—Wells Fargo and Fifth Third—were in turn seized from the retailer because it did not comply with the self-imposed PCI DSS security standards.
Genesco claims that the fines Visa levied against the acquirers—fines it knew Genesco ultimately would be responsible for—are invalid because the network intrusion took place during the approval process when unencrypted payment information was being transmitted. According to the complaint, “the PCI DSS not only does not prohibit, it actually expressly approves, unencrypted transmission of mag-stripe-swipe transaction approval data.” Additionally, Genesco said in its filing that at the time Visa imposed its fines for PCI DSS non-compliance, the network “had no reasonable basis for concluding that Genesco was non-compliant with the PCI DSS requirements at the time of the Intrusion or at any other relevant time.”
Fines of this nature have been a long-standing thorn in the side of retailers, who are skeptical of the rationale provided by the networks for imposing them.
“Retailers have serious, long-held concerns that the card companies use these seemingly arbitrary guidelines to deplete merchants’ bank accounts,” said Stephen Schatz, a senior spokesperson for the National Retail Federation. “Some have even questioned if the system is a method not of preventing abuse but designed for compensating the financial services industry for flaws in their fraud-prone card systems.”
Genesco charged that Visa is in breach of its contract governing the collection of these fines and should return the money withheld by the banks from Genesco to pay the Visa-imposed fines. This case is believed to be the first to challenge the networks over PCI DSS.