Restaurant battles bank over security breach

Restaurant battles bank over security breach

Should a retailer be on the hook if the credit cards they accepted from their customers were later used fraudulently? A recent lawsuit deals with the question of just how much a retailer should be held responsible when its customers' credit card data is breached.

The case
The owners of Cisero's, a restaurant in Park City, Utah, say they were wrongly penalized when their credit card processor, Elavon, withdrew $10,000 from their bank account without permission. The withdrawal, according to Elavon, was justified because the money was needed to pay the fines imposed by Visa and MasterCard after Cisero's allegedly failed to secure its networks, resulting in a data breach.

But Cisero's is fighting back. In August 2011, the restaurant owners filed a lawsuit against Elavon and U.S. Bancorp, Elavon's parent company, to regain their money. The battle, first reported by Bloomberg and covered by Wired.com, has gained national attention for the complex issues it raises about the relationships between merchants, credit card acquirers (financial institutions that process card payments for businesses) and credit card companies.

No evidence of security breach
In business since 1985, Cisero's Ristorante & Bar is owned by Cissy and Steve McComb. Like many restaurants, Cisero's is heavily dependent on credit card trade. 90 percent of its patrons use credit cards to pay for meals.

Cisero's chose U.S. Bancorp as its credit card acquirer in 2001, according to the suit, and Elavon became its credit card processor. The problems began in 2008, when Visa notified U.S. Bank that credit cards used at Cisero's might have been "accessed, counterfeited and fraudulently" used. Under the current system, credit card companies like Visa can penalize acquirers for security breaches and for merchants' noncompliance with Payment Card Industry Data Security Standards (PCI DSS). In fact, in their contracts with merchants, acquirers assert the right to pass those penalties on to merchants.

Elavon notified Cisero's of the problem. The restaurant immediately conducted its own internal fraud investigation, according to the suit, and, at Elavon's request, hired a forensic investigator approved by Visa and MasterCard. The forensics company found no evidence that there had been a security breach at Cisero's, although it noted that there were some PCI DSS violations, namely storage of credit card data on Cisero's point of sale (POS) system.

Cisero's later hired a second forensics company, which confirmed the first report and noted that the stored credit card information was located in complex, hidden database files that would not be easy for either restaurant employees or hackers to find.

Discrepancy in numbers
Visa does not penalize acquirers for a security breach if fewer than 10,000 individual account numbers are involved. But the first forensics company found more than 22,000 accounts, since it incorrectly counted multiple transactions at Cisero's involving the same credit cards as multiple accounts, the suit alleges. The second forensics review showed there were actually only 8,100 unique account numbers involved.

Cisero's argues in its suit that, because of this number, no penalties should have been triggered, but Visa claimed that there were actually more than 32,000 accounts involved. Visa eventually declared that losses resulting from the alleged breach were $1.3 million and added another half million to the penalty for operating expenses. Visa did cap the fine to acquirer U.S. Bank at $55,000.

MasterCard imposed its own $15,000 noncompliance fine on U.S. Bancorp, and other banks claimed losses suffered because of the fraudulent use of the credit card numbers from Cisero's. U.S. Bancorp did not dispute the claims, and Cisero's was never given the opportunity to present its case, its owners allege, although it did send the two forensics reports to Elavon.

Elavon ultimately held Cisero's responsible for $92,000 in various penalties. It withdrew $10,000 from the restaurant's account without the McCombs' permission before the restaurant owners closed the account. Elavon then sued Cisero's for the balance of the money Elavon claims was owed. Cisero's countersued.

Who is responsible for security?
There are issues important to all merchants at stake in the Cisero's legal battle against U.S. Bancorp.

Cisero's lawsuit claims that:

• Elavon and U.S. Bancorp neglected to inform Cisero's of PCI DSS standards. Nor did U.S. Bancorp inform Cisero's of problems with the POS system it was using, although Visa had notified U.S. Bancorp that these POS systems were storing credit card data and, therefore, were not in compliance with PCI DSS.
• The Merchant Terms of Service (MTOS) is an unenforceable contract of adhesion (a contract that is very one-sided, but that the party without power is forced to sign). The lawsuit argues that most merchants can't stay in business without accepting credit cards, and they cannot accept credit cards unless they accept the bank's terms and sign the MTOS agreement.  
• The contract should not allow U.S. Bancorp to change the MTOS without notifying the merchant when the credit card companies change their rules.
• Acquirers have no incentive to contest any allegations of fraud made by credit card companies, since they can simply pass along to merchants any fines levied against them.

Overall, the McCombs' lawsuit alleges that the credit card companies can assess whatever fines they want for alleged security breaches and that they profit unfairly from this power.

The suit also argues that, because most merchants do not have the knowledge or the ability to keep abreast of the latest PCI DSS requirements, the acquirers, with their far greater resources, should be responsible for keeping the merchants informed.

There's been no action on the case as yet, but if the McCombs are successful in their legal challenge, it could ultimately bring about some important changes in the agreements between merchants, acquirers and credit card companies.

See related: Many small merchants ignoring security standards

Published: February 1,2023