Retailer hauls Visa to court over $13.3M fine for payment card data breach

Fine is illegal, unjustified and in violation of Visa's own policies, says Genesco

Genesco, a specialty retailer of footwear, sports apparel and related accessories, has sued Visa USA for $13.3 million in fines that were assessed against the company after a credit card data breach in 2010.

In a 49-page complaint filed in the U.S. District Court for the Middle District of Tennessee last week, the Nashville-based retailer claimed that Visa's fines were unjustified and unenforceable under the law.

Genesco's lawsuit is the first to challenge a credit card company on the issue of fines resulting from payment card data breaches.

Genesco, like every other entity that accepts credit and debit card payments, is required to comply with the Payment Card Industry Data Security Standards (PCI DSS), a set of controls put in place several years ago by Visa, designed to help companies bolster defenses against attacks designed to steal data.

Over the years, credit card companies have assessed hefty fines against merchants who suffered payment card data breaches, purportedly as a result of their failure to comply with PCI DSS requirements.

Genesco was one such company. In 2010, the retailer suffered an intrusion in which unknown attackers attempted to steal payment card information from its networks.

According to Genesco's complaint, the attackers installed packet-sniffing malware on the company's network in an apparent bid to grab unencrypted card data as it was being transmitted for approval to card-issuing banks. The malware was designed to capture the card data and transmit it back to the attackers periodically.

After the intrusion was discovered, Visa issued an alert to affected card issuers, informing them that every Visa card that was processed by Genesco over a one-year period between Dec. 2009 and Dec. 2010 had been compromised. Visa later collected a total of $13.29 million in fines from Wells Fargo Bank and Fifth Third Bank, the two "acquiring banks" that had authorized Genesco's participation in the Visa payment system.

Under PCI DSS rules, acquiring banks are contractually responsible for ensuring that any merchants they authorize for payment card transactions are fully compliant with PCI DSS requirements. They can be fined if one of their merchants gets breached as a result of a failure to comply with PCI. Acquiring banks typically pay the fines to the credit card companies, and later recover it from the merchant that suffered the breach.

In keeping with the practice, both Wells Fargo and Fifth Third collected from Genesco the amounts they had paid to Visa by way of fines.

In its lawsuit, Genesco claimed the fines were totally unjustified. It noted that Visa's own rules specify fines only in situations where a breach occurred because of a company's failure to comply with PCI. Even then, fines are applicable only if more than 10,000 cards are compromised. There also needs to be actual and demonstrable financial damage resulting from fraud or counterfeiting before a fine can be imposed.

None of these situations applied with the 2010 intrusion, Genesco said in its complaint. The company noted that it was fully compliant with PCI requirements at the time of the breach. As required under PCI, no card data was ever stored on Genesco's systems at any time during the intrusion.

The only card data that was potentially exposed was the unencrypted card data being transmitted for approval. Visa's own rules at the time did not require companies to encrypt such data while it was being transmitted, Genesco maintains.

The retailer also challenged Visa's assertion that all card data handled by the company over a one-year period was exposed in the intrusion. Genesco maintained that the servers handling the transactions were rebooted periodically. As a result, even if some card data had been stored in server log files they would have been erased each time the server rebooted. This would mean there was little chance that all cards that were handled by the company over a one-year period would have been exposed.

Importantly, Visa failed to show that either it or any card issuers suffered any actual damages from the breach, Genesco said. According to Genesco, the intrusion did not result in any fraudulent activity or financial losses remotely amounting to the fines charged by Visa for the intrusion.

The company has also challenged the legality of Visa's actions, noting that the fines amounted to an illegal penalty rather than a fine based on actual damages. "Visa does not even pretend that the non-compliance fines represent actual damages that Visa incurred," as result of Genesco's alleged failure to comply with PCI, the company said in its complaint.

Visa did not respond to a request for comment.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about data security in Computerworld's Data Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags retaildata securitysecurityvisaindustry verticalsdata protection

More about TopicVisaWells Fargo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place