In March 2013, Genesco Inc. filed a complaint in the U.S. District Court for the Middle District of Tennessee against Visa seeking to recover $13.3 million in non-compliance fines and assessments that Visa had imposed on two acquiring banks, Wells Fargo and Fifth Third Financial, which processed the payment card information. These banks had paid the fines and assessments, and then collected the total from Genesco pursuant to an indemnification agreement.
In 2010, when credit card processor Elavon Inc. sued restaurant chain Cisero’s Inc., seeking $83,000 in PCI fines, Cisero’s counterclaimed, challenging the fines. However, Genesco v. Visa is the first direct lawsuit against a credit card company fighting back against the PCI DSS fine regimes, which imposes penalties without evidence that card data was stolen.
The fines assessed stemmed from the December 2010 breach of Genesco’s payment processing network due to a criminal cyber attack. Genesco claims in its complaint that Visa had no reasonable basis for concluding that it was non-compliant with the PCI standards, and that there was no actual theft of cardholder data for the accounts in question.
The case is in its early stages but should be watched closely, as an outcome in favor of Genesco could undermine the credit card companies’ ability to assess PCI fines, with the potential to “shake [the] PCI compliance regime to its core.”