Merchants Take on Payment Card Industry for Unlawful Fines

A regional Hispanic supermarket is taking on the payment card industry’s flawed system for securing card data by fining merchants for failing to secure their data. This David and Goliath situation is one of the few cases making up a new area of litigation that addresses merchants’ rights vis-à-vis possibly punitive credit card charges.


Diosdado Hernandez, owner of Food Star Supermarket, has filed a lawsuit against First Data Merchant Services Corporation, claiming that the credit card processing service provider unlawfully seized money from the Food Star bank account to pay for thousands of dollars in credit card company fines.


First Data, which provided Food Star with Point of Sale (POS) processing systems and security maintenance of these devices, refused to return the withheld funds to the owners of the market, who claim First Data had no contractual agreement to withdraw these substantial funds from the market’s business account to pay for anticipated losses imposed by Visa and MasterCard. These credit card companies produced daunting estimates of customer liabilities after alleging that Food Star had failed to maintain secure SMS POS server configurations and suffered a data breach that resulted in fraudulent charges on customer bankcards.


In addition, Food Star alleges that merchants like themselves are subjected to Visa and MasterCard’s ADCR Qualification Summary Reports that are arbitrary, change without notice and impose unsubstantiated random charges on merchants based on possible “fraud accounts” that are only supported by statistical association—rather than direct causal links. Moreover, charges for anticipated fraudulent losses are withdrawn from the business owners’ bank accounts without first providing these merchants a meaningful opportunity to dispute claims before money is seized.


The issue began for Food Star in September 2010, when Visa notified First Data that Food Star’s network had possibly been compromised at two of its Miami stores after cards used at the supermarket were later used for fraudulent transactions at other locations. After First Data notified Food Star of the likely breach, the supermarket was required to hire a forensic investigation firm, Verizon Business, to determine if a breach had occurred and if the supermarket was in compliance with the Payment Card Industry Data Security Standards (PCIDS).


In December 2010, Verizon Business issued its Computer Forensic Investigation Management Report and determined that a security breach had occurred sometime between October 2009 and August 2010. These reports, however, merely suggest a statistical association between the compromise events and the actual fraud. There is no direct causal link established between any failure by Food Star to maintain a secure POS server configuration and any subsequent fraudulent charge.


Because a First Data agent conducted all security maintenance of the Food Star POS systems, Food Star also challenges any BIN Owner Liability Assessments or other fines that are issued based on mere statistical associations. First Data, which bills Food Star monthly for its credit processing services, is also being accused of inaccurately charging for its services and providing no discernable correlation between the amounts charged and the actual services provided by First Data.

By March 2011, First Data had notified Food Star that it estimated expenses caused by the breach at the supermarkets would add up to around $615,000, relating to credit card cancellation, monitoring and fraud reimbursement charges. But instead of allowing Food Star a chance to dispute these anticipated charges, Food Star alleges that First Data unlawfully withheld 25% of Food Star’s daily bankcard settlements until these fines were covered. The withdrawal of these funds, which remain unlawfully withheld by First Data, amount to a pre-suit Writ of Garnishment without due process.


This is one of the first cases to challenge PCI security standards—a national standard that requires businesses accepting credit and debit card payments to implement a series of technological steps to secure their data. The controversial system, imposed on merchants by credit card companies like Visa and MasterCard, has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data and more so to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.


But this rare legal fight is becoming more common as similar cases have been filed in Utah and California, as cited in a web article by Wired about a similar situation in Park City, Utah; Elavon Inc. v. Cisero’s Inc. In Elavon the merchant hired an expert who found “no concrete evidence that the POS server suffered a security breach which led to the compromise of cardholder data” and that no evidence existed that payment card data of any kind was improperly taken from the merchant’s systems. However, the owners of that business find themselves in a  situation similar to the one Mr. Villasante is prosecuting on behalf of the Florida merchant, in Food Star v. First Data Merchant Services.


Copyright Owners Dispute Over Counterfeited Product in South Korea


A South Florida-based company is faced with a struggle for justice after their copyrighted breast-enhancing product is illegally reproduced and sold in the South Korean market. Brava, LLC, a corporation with the exclusive rights to patent, manufacture, market and distribute their Brava Breast Enhancement and Shaping System, recently fell victim to a copyright infringement scheme when a South Korean partner breached its distributor agreement and began reproducing inferior devices and selling them independently in South Korea.


The device, with cosmetic and medical applications, is a bra that is clinically proven to enhance breast size without surgery. It was developed in Miami, Florida by a medical team at Brava, LLC. The corporation hired attorney Roberto Villasante to bring suit against the Korean counterfeiter Chun Sup Kim and the corporate entity INSOP. Mr. Villasante engaged South Korea’s second largest law firm to collaborate in this litigation.


In a related criminal proceeding Mr. Kim has now been found guilty of counterfeiting the Brava device which was first released in the Korean market in 2001. The products consist of a set of silicone-domes held in place over the breasts, a ‘SmartBox’, which creates vacuum pressure within the domes, a support bra, which helps the user to wear the products, a tube connecting the domes to the SmartBox, a filter which removes moisture, and a cleaning kit. For the device and all its parts, the trademark “BRAVA” was registered on August 9, 2004.


Defendant Kim established his own company on June 27, 2003 and entered into a distributor agreement with Brava, LLC in October of 2005. Under this agreement, Brava, LLC granted Kim’s company an exclusive license to distribute and market the devices in Korea. However, relations would soon turn sour after Kim planned to use reverse-design (reverse-engineered) data off the devices to sell the copied products to consumers as if they were imported from Brava, LLC–a move that breached the distributor agreement and arguably violated the Unfair Competition Prevention Act in South Korea.


It wasn’t long before Brava, LLC representatives became aware of the copied products being sold in the Korean market. In 2010, Brava demanded Kim to cease all sales of unauthorized counterfeited products and stop the use of the Brava trademark; effectively terminating the existing distributor agreement. Subsequently, Kim was indicted in Seoul for failing to obtain a license to sell his independently manufactured product in South Korea.


Brava has argued that Kim sold thousands of counterfeited devices in his country, costing Brava, LLC millions in revenue.


In May 2012 the Seoul Central District Court issued a monetary judgment in favor of  Brava, LLC awarding compensatory damages. The court, however, expressed “difficulty” in calculating damages and did not seem to account for Kim’s direct interference in Brava’s business or sales. Brava’s position is that every counterfeit product sold by Kim’s company deprived Brava of an equivalent sale of a legitimate device and that the damages awarded are insufficient. The matter is now on appeal.