David and Goliath - A PCI Story
There are many people who feel PCI is ultimately a thinly-veiled credit card company scheme that makes businesses police themselves- when really, it's to pass on the liability when credit card companies' lax security results in a breach. This pass-the-buck-for-blame policy often leads to major fines and priceless damages for smaller businesses, and the case of Cisero’s Ristorante and Nightclub in Park City, Utah is no different. Except for one twist- Cisero's is fighting back. According to a Wired article by Kim Zetter: U.S. Bank seized about $10,000 from the McCombs’ account to pay $90,000 in fines that Visa and MasterCard imposed after alleging that Cisero’s had failed to secure its network and suffered a data breach that resulted in fraudulent charges on customer bank cards. U.S. Bank sued the McCombs to obtain the remaining balance on the fines, saying a contract the McCombs signed with the bank makes them liable for such fines. But in their countersuit against U.S. Bank, the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized. If this case proceeds, it could unravel the PCI structure: Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania’s Wharton School says the system of fining merchants could prove to be a problem for the payment card industry if the court views them as punitive in this case. “In general, contract law does not like punitive damages being included in contracts,” she says. “If you argue that these fines are punitive and unrelated to actual losses suffered, courts could deem your contract to be overreaching and conclude that its intent is to punish rather than to compensate harm.” Matwyshyn also says the fact that merchants are liable for a third-party agreement their banks make with Visa and MasterCard is also problematic because it disempowers merchants and prevents them from being able to “negotiate the kinds of balanced provisions we would expect to see between two parties to a contract.” “We should see some interesting contract analysis from the court [on this],” she said. This will be one to watch, though it's hard to imagine the banks will let this go to court. My bet is they will probably settle. Interestingly enough, TJX made a similar argument which resulted in a TJX settling and avoiding fines in its own breach case several years ago.