The merchant strikes back: Cisero’s sues processor and bank over pass-along fines following alleged breach

There’s an interesting lawsuit to watch in Utah. The owner of Cisero’s in Park City is suing their payment processor and bank for deducting money from their account after card issuers fined them over an alleged breach of the restaurant’s system.

The case stems from  a March 2008 incident. According to Cisero’s, Visa had notified them that they appeared to be the common point of compromise in a situation involving credit card fraud  and that they needed to bring in forensic investigators.  Two independent forensic investigations found that the restaurant had unknowingly stored credit card numbers, but there was no clear evidence of any actual breach.  Despite the absence of confirmation of any breach that could account for customers’ fraudulent charges elsewhere, Visa ultimately fined U.S. Bank, the acquiring bank.  Elavon, the payment processor, is a unit of U.S. Bank.

Thom Weidlich provides the background on the case on Bloomberg.

At issue here is that the restauranteur’s claim that there was no evidence that they had been hacked, Visa didn’t prove that there had been a compromise of their system that resulted in fraud, and that although they had unknowingly stored over 8,000 card numbers, that number was below the contractual threshold to trigger fines.  The owners had been sued by Elavon for over $82,000 in fines that Visa and MasterCard had levied.  The owners countersued in August.

“At no time has Elavon, US Bank, Visa, MasterCard or any other entity proven that a data breach occurred at Cisero’s, that card issuers actually suffered fraud losses or that any such losses were caused by a data breach at Cisero’s,” the restaurant said in court papers.

The owners also allege that U.S. Bank never provided any information or support to assist them in staying secure and PCI-DSS compliant, and that rules were unilaterally changed without notice or consent over time.

Some of their suit seems strikes me as buyer’s remorse. They signed a contract that permitted some of these things to occur. Was it a lousy contract? Probably. Were there documents that they weren’t even provided before they signed the contract? It seems so. But what it may boil down to is that they did sign a contract. So what part of the contract did the bank and processor actually breach? Their strongest arguments appears to be that they were not notified of the fine, as required by the contract, in time for them to file a timely appeal and that Visa ascribed losses to a breach without justifying their numbers – particularly since there was no proof any breach had even occurred. I think their claim that the acquiring bank failed to provide them with information and support to remain compliant is also worth pursuing, but without the language of the contract to determine the bank’s contractual obligations to them, I’m not sure where that will go.

Visa is not a defendant in this law suit, but they are the elephant in the room.

You can read the payment processor’s lawsuit against the restaurant and the countersuit against the processor and acquiring bank, courtesy of Bloomberg.  See what you think. Do you think they stand a chance of prevailing?

About the author: Dissent