A report in Wired details a lawsuit filed last week in Tennessee by Genesco, owner of popular mall brands Lids and Journeys, that seeks the return of some $13 million the company paid to Visa and its merchant acquirers after a breach of the retailer’s systems was discovered in December 2010.
The suit alleges the fines associated with PCI compliance are “legally unenforceable penalties,” that Visa acted in breach of contract with the acquiring banks (Wells Fargo and Fifth Third), that Visa failed to follow its own stated procedures in collecting the sum, and that Visa has not provided evidence that data packet sniffers discovered on Genesco’s systems actually stole any data.
From Wired:
It’s the first known case to challenge card companies over the self-regulated PCI security standards — a system that requires businesses accepting credit and debit card payments to implement a series of technological steps to secure card data. The controversial system, imposed on merchants by credit card companies like Visa and MasterCard, has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.
Under the PCI standards, merchants are not supposed to store card data, but they may store some parts of the data if they have to, as long as it’s encrypted. They may also retain the data in the short term – for example, temporarily hold it in memory while it’s being authorized — as long as they take care to protect that data.
Click here to read more from Wired.