Damn, I’m not sure what I think about this:
A sports apparel retailer is fighting back against the arbitrary multi-million-dollar penalties that credit card companies impose on banks and merchants for data breaches by filing a first-of-its-kind $13 million lawsuit against Visa.
The suit takes on the payment card industry’s powerful money-making system of punishing merchants and their banks for breaches, even without evidence that card data was stolen. It accuses Visa of levying legally unenforceable penalties that masquerade as fines and unsupported damages and also accuses Visa of breaching its own contracts with the banks, failing to follow its own rules and procedures for levying penalties and engaging in unfair business practices under California law, where Visa is based.
It’s the first known case to challenge card companies over the self-regulated PCI security standards — a system that requires businesses accepting credit and debit card payments to implement a series of technological steps to secure card data. The controversial system, imposed on merchants by credit card companies like Visa and MasterCard, has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.
In December 2010, Genesco announced that it had been hacked, but provided few details about the breach other than to say it was possible that certain details of cards used in its stores might have been compromised.
In the court documents for its lawsuit against Visa, (.pdf) the company maintains that it found packet-sniffing software on its network but never uncovered forensic evidence that the hackers actually stole any card data.
And yet again:
Nonetheless, Visa accused the company and its banks of violating the Payment Card Industry standards, and fined the banks $5,000 each for noncompliance, then later levied $13.3 million against them for operating expenses incurred over the breach and to recover the cost of fraudulent charges made to the accounts. Visa collected the money this last January from the banks.