The lawsuit seeks “to recover $13,298,900.16 in non-compliance fines and issuer reimbursement assessments that Visa wrongfully imposed.” This comprised $5000 fines against Genesco’s banks and $13 million levied to cover operating expenses incurred over the breach and to recover the cost of any fraudulent charges made to the accounts – all of which was passed on to Genesco.
In December 2010 Genesco announced that it had been hacked and that certain details of cards might have been compromised. The lack of clarity is because the breach involved a packet sniffer designed to steal data in transit from the merchant to its bank (in this case Fifth Third Bank and Wells Fargo). That data was unencrypted, but is not required to be encrypted by the PCI security standard. Consequently, the data lost would only involve data transmitted while the sniffer was in place.
Genesco is confident that no stored data was accessed. The court document also asserts that the fine was levied by Visa even though “there was no forensic evidence that any of the Alerted-On Accounts had been compromised in the Intrusion, and even though the forensic evidence affirmatively showed that some of the Alerted-On Accounts were not compromised during the Intrusion.” Genesco is accusing Visa of breaching its own contracts with the banks, failing to follow its own rules and procedures, and for unfair business practices under California law.
When a PCI fine is levied, the card companies do not fine the merchant but the banks. The banks pay up and “then simply collect the money from the customer’s account or sue them for uncollected balances,” reports Wired, “using the indemnification clauses in their contracts to justify it.” It is a controversial system imposed on the merchants, and, says Wired, “has been called a ‘near scam’ by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.”
Rich, writing in the Securosis blog, is one such critic of what he calls the ‘PCI scam.’ “PCI,” he writes, “is designed to push nearly all risks and costs onto merchants and their banks through a series of contracts. The PCI Security Standards Council has stated that no PCI compliant organization has ever been breached. This is a clear fallacy – merchants pass their assessments, they get breached, and then PCI retroactively revokes their certifications. Fines are then levied against the acquiring bank and passed on to the merchant.”
Watch this, he adds. “If it succeeds there will likely be a flood of similar cases.”