Retailer Sues VISA Over Payment Credit Data Breach.
If you are fully PCI DSS compliant, but get a data breach anyway, are you responsible for penalties and fines even if no financial loss was incurred because of the breach? This is the big question that surrounds a recent lawsuit filed by specialty footwear and sports apparel retailer Gensco against VISA USA. Genesco has sued VISA USA over $13.29 Million in fines that it was assessed after a Credit Card data breach that occurred in 2010.
The breach occurred when unknown attackers attempted to steal payment card information from it’s network. During this breach, the attackers installed packet-sniffing malware on the companies network in an attempt to grab unencrypted data as it was being obtained, and transmitted for approval, and then send it to the attackers.
When the intrusion was discovered, VISA issued alerts to it’s affected card issuers claiming that every card processed by Gensco between December of 2009 and December of 2010 was compromised. Visa later collected the fines totaling $13.29 million from the acquiring banks Wells Fargo Bank and Fifth Third Bank. These banks, who were contracted out to be responsible for PCI DSS at Genesco, subsequently collected these fines from Genesco.
Gensco’s yet to be resolved suit, claims that VISA is violating it’s own contractual policies by arbitrarily levying fines and penalties for every transaction processed for an entire year. This was being done even though there had been no documented evidence of a losses totally the amounts of the fines, and because VISA was applying policies in it’s decision that were not even in force at the time of the breach.
Here is a link to the original article:
While the resolution of this lawsuit will not be known for some time, this could be a landmark case that will likely affect all retailers in the future.
If you have questions about PCI DSS Compliance, please contact the CCS Retail Systems