Digital Transactions Authoritative, insightful and timely information for payments professionals
Sports apparel and accessories retailer Genesco Inc. has gone to court to challenge $13.3 million in fines levied by Visa Inc. for alleged violations of the Payment Card Industry data-security standard. Genesco’s may be the first retailer lawsuit filed against a card network over the PCI security standards, according to some press reports.
Nashville, Tenn.-based Genesco says Visa wrongfully imposed the fines and is seeking their return. Visa declined to comment to Digital Transactions News about the lawsuit.
At issue in the suit, filed March 7 in U.S. District Court for the Middle District of Tennessee, Nashville, are funds removed from Genesco’s merchant accounts by its acquirers, Wells Fargo and Fifth Third Bank. The withdrawals ocurred when Visa fined the banks after Genesco announced in December 2010 it had been hacked and that some confidential cardholder account information may have been compromised.
In the lawsuit, Genesco says it found packet-sniffing software on its computer network, but never discovered any forensic evidence that hackers actually stole card data. But Visa said the company and its acquirers had violated the PCI standards and fined the banks $5,000 each for non-compliance. It later levied $13.3 million against the banks for breach-related operating expenses and to recover the cost of fraudulent charges made to the reportedly compromised cardholder accounts. The acquirers then recovered the cost of the fines from Genesco.
Genesco contends that the packet sniffer installed on its network was designed to capture unencrypted card data as they were being transmitted through Genesco’s network to the acquirers for transaction approvals. But the retailer says hackers would not have accessed the data because Genesco’s servers reboot regularly, overwriting log files that may have contained card data.
In addition, Genesco argues that Visa isn’t supposed to hold banks liable for a breach unless at least 10,000 accounts are compromised, the retailer’s violation of a PCI standard led to the theft, or the counterfeit fraud on stolen accounts exceeded the amount of fraud that normally would occur on a card. Genesco contends that Visa met none of those requirements before assessing the fines.
In seeking recovery of the funds, Genesco said that “Visa was unjustly enriched by its actions in wrongfully imposing and collecting the assessments and the non-compliance fines.” In the lawsuit, the retailer also accused Visa of engaging in “unlawful, unfair or fraudulent business practices.”
Genesco sells footwear, headwear, sports apparel and accessories in more than 2,380 stores throughout the U.S., Canada, the United Kingdom, and Ireland. Its principal brand names are Journeys, Journeys Kidz, Shi by Journeys, Underground by Journeys, Schuh, Lids, Lids Locker Room, and Johnston & Murphy. The company also operates e-commerce sites.
