The Payment Card Industry’s Data Security Standards force companies to respect several security standards or else face fines from the industry.
Sports Retailer Sues Visa for Security Breach “This is one of the first cases making it into the public where the merchant is saying ‘I’m sick and tired of being put into a position where I basically have no choices and I’m sick and tired of being a slave of the system,’” Torsten George, vice president for risk-management firm Agiliance, told eWEEK. “Merchants want to try to get more objective treatment from the credit-card companies.”
The lawsuit comes after Genesco suffered a cyber-attack in 2010. The attackers installed a packet sniffer on the company’s network to steal sensitive information sent to banks. The sports retailer provided limited details about the breach, but said the attackers didn’t manage to grab card data stored on the system.
In January of this year, the banks the retailer worked with were forced to pay two large fees, but passed them on to Genesco.
“Visa’s imposition of the (fines) is a violation of Visa’s contract (with the banks), because at the time of the intrusion and all other relevant times, Genesco was in compliance with the PCI-DSS requirements,” the court documents read.
If the judge agrees, credit-card companies would not be allowed to fine merchants except for provable losses, which will limit enforcement of the industry’s security standards.