July 5, 2013

PCI Compliance Sees First Merchant Challenge in Court

Merchant files first lawsuit aimed directly against a credit card company in protest of PCI noncompliance fines.
CHICAGO, IL, Genesco Inc., a Nashville-based specialty retailer with over 2400 stores worldwide, has filed the first ever lawsuit challenging PCI compliance fines issued by a credit card company. Terrance Howard, founder of (, says that this lawsuit could change the ways PCI compliance is viewed in the future.

In March 2013, Genesco filed a complaint against the $13.3 million in non-compliance fines imposed by Visa. Visa and MasterCard together charged $15.5 million in fines against the two banks that processed credit and debit card transactions for Genesco, Wells Fargo and Fifth Third Financial. Genesco has not filed a suit against the $2.2 million in fines that was imposed by MasterCard.

The filed suit disputes Visa's claims of noncompliance, contending instead that the Genesco was indeed compliant with PCI DSS guidelines and that the fine itself was issued arbitrarily by Visa since there was no evidence that any cardholder data was actually stolen in the 2010 breach.

"This is the first time that a merchant has actively argued against PCI compliance," says Terrance Howard, whose site helps businesses find PCI compliant web hosting for their websites. "Genesco just may be setting a new legal precedent for fighting future noncompliance fines."

Genesco's complaint also includes claims for breach of contract and violation of the California unfair business practices act, as well as other related claims. Visa has responded with a move to dismiss the unfair business practices claim as well as the unjust enrichment claim, but Genesco has not yet filed their response. The case is still in its early stages.
"I think the whole industry is going to be keeping a close eye on this case," says Howard. "It could very well change the future of PCI compliance services."

The Payment Card Industry Data Security Standards (PCI DSS) guidelines, established in 2004, mandate a set of contractual obligations requiring merchants who accept credit and debit card payments to meet a certain set of criteria in order to offer improved protection for cardholder data.

Since the inception of the PCI DSS, merchants have been fined millions in noncompliance fees. Genesco is the first company to file a direct lawsuit against a credit card company to fight noncompliance fees, although Cicero's, a restaurant and nightclub, did sue their bank, Elavon, with claims that noncompliance fines were paid to the Visa and MasterCard without their knowledge or consent.

Experts suggest that one potential outcome for the suit could result in the creation of an independent entity to oversee the entire compliance system. Although the PCI Security Standards Council was responsible for developing the standards initially, they have no authority to ensure that they are followed, let alone enforce them. The suit also has the potential to make it more expensive for consumers to pay using credit cards, as well as making it more expensive for merchants to process them.

"Merchants have grumbled about the PCI DSS almost since its inception," says Howard. "This lawsuit has the potential to revamp the system from the inside out and make some real changes." ( is a leading source of information on the PCI compliant services industry. Established in 2009, keeps up with the latest industry news and provides guides for merchants, assessors, processors and financial institutions on compliance issues. The company also provides free consultations for clients seeking PCI compliant hosting and dedicated servers.