Merchants Take on Payment Card Industry for Unlawful Fines

A regional Hispanic supermarket is taking on the payment card industry’s flawed system for securing card data by fining merchants for failing to secure their data. This David and Goliath situation is one of the few cases making up a new area of litigation that addresses merchants’ rights vis-à-vis possibly punitive credit card charges.


Diosdado Hernandez, owner of Food Star Supermarket, has filed a lawsuit against First Data Merchant Services Corporation, claiming that the credit card processing service provider unlawfully seized money from the Food Star bank account to pay for thousands of dollars in credit card company fines.


First Data, which provided Food Star with Point of Sale (POS) processing systems and security maintenance of these devices, refused to return the withheld funds to the owners of the market, who claim First Data had no contractual agreement to withdraw these substantial funds from the market’s business account to pay for anticipated losses imposed by Visa and MasterCard. These credit card companies produced daunting estimates of customer liabilities after alleging that Food Star had failed to maintain secure SMS POS server configurations and suffered a data breach that resulted in fraudulent charges on customer bankcards.


In addition, Food Star alleges that merchants like themselves are subjected to Visa and MasterCard’s ADCR Qualification Summary Reports that are arbitrary, change without notice and impose unsubstantiated random charges on merchants based on possible “fraud accounts” that are only supported by statistical association—rather than direct causal links. Moreover, charges for anticipated fraudulent losses are withdrawn from the business owners’ bank accounts without first providing these merchants a meaningful opportunity to dispute claims before money is seized.


The issue began for Food Star in September 2010, when Visa notified First Data that Food Star’s network had possibly been compromised at two of its Miami stores after cards used at the supermarket were later used for fraudulent transactions at other locations. After First Data notified Food Star of the likely breach, the supermarket was required to hire a forensic investigation firm, Verizon Business, to determine if a breach had occurred and if the supermarket was in compliance with the Payment Card Industry Data Security Standards (PCIDS).


In December 2010, Verizon Business issued its Computer Forensic Investigation Management Report and determined that a security breach had occurred sometime between October 2009 and August 2010. These reports, however, merely suggest a statistical association between the compromise events and the actual fraud. There is no direct causal link established between any failure by Food Star to maintain a secure POS server configuration and any subsequent fraudulent charge.


Because a First Data agent conducted all security maintenance of the Food Star POS systems, Food Star also challenges any BIN Owner Liability Assessments or other fines that are issued based on mere statistical associations. First Data, which bills Food Star monthly for its credit processing services, is also being accused of inaccurately charging for its services and providing no discernable correlation between the amounts charged and the actual services provided by First Data.

By March 2011, First Data had notified Food Star that it estimated expenses caused by the breach at the supermarkets would add up to around $615,000, relating to credit card cancellation, monitoring and fraud reimbursement charges. But instead of allowing Food Star a chance to dispute these anticipated charges, Food Star alleges that First Data unlawfully withheld 25% of Food Star’s daily bankcard settlements until these fines were covered. The withdrawal of these funds, which remain unlawfully withheld by First Data, amount to a pre-suit Writ of Garnishment without due process.


This is one of the first cases to challenge PCI security standards—a national standard that requires businesses accepting credit and debit card payments to implement a series of technological steps to secure their data. The controversial system, imposed on merchants by credit card companies like Visa and MasterCard, has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data and more so to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.


But this rare legal fight is becoming more common as similar cases have been filed in Utah and California, as cited in a web article by Wired about a similar situation in Park City, Utah; Elavon Inc. v. Cisero’s Inc. In Elavon the merchant hired an expert who found “no concrete evidence that the POS server suffered a security breach which led to the compromise of cardholder data” and that no evidence existed that payment card data of any kind was improperly taken from the merchant’s systems. However, the owners of that business find themselves in a  situation similar to the one Mr. Villasante is prosecuting on behalf of the Florida merchant, in Food Star v. First Data Merchant Services.