For perhaps the first time, the enforceability of the fine system supporting the PCI DSS standard will be considered in the U.S. Case of Elavon Inc. v. Cisero’s Inc., 100500480, Utah Third Judicial District Court, Summit County (Park City). 

The owners of an Italian restaurant in Utah (Cisero’s) were charged more than $80,000 in fines for alleged security failures that led to fraudulent credit card transactions.  In response to proceedings by their bank to recover the outstanding fines, the couple has counter- sued, saying they didn’t break MasterCard and Visa rules, that there was no security lapse and that no acts of fraud were specifically claimed.  


In 2001 the Cisero’s entered into their contact with the bank – which incorporated by reference Visa and Mastercard’s operating rules.  Those rules were made available to the Ciseros at that time – or at any time in the future including when they did become publicly available in 2008.   In any case, in 2001, those rules did not at that time contain any data security requirements.  The PCI DSS became part of the card issuers rules in 2005.

The Cisero’s contract with their bank provided that the bank could amend the terms at any time without notice to the Cisero’s (a provision commonly appearing in cloud computing contracts) – which is the provision the bank is relying on to incorporate subsequent requirements including those relating to data security.  The bank also relies on an indemnification provision in their contract with the Cisero’s to claim the amounts paid by the bank to Visa and Mastercard by way of penalties levied for fraudulent claims resulting from data security breach.

The Cisero’s claim that:

·         They were never notified of any requirement to meet any data security standard

·         They were

Bank’s Original Claim:

Cisero’s Counter Claim:

More on the story: