Cincinnati Court Rules Against Merchant Services Company Over Data Breach Fines

A Court Ruling May Affect Acquirers’ Ability to Pass Along Data-Breach Fines to Merchants
– Digital Transactions

Manatt’s Anita Boomstein, a partner in the global payments group, spoke to Digital Transactions about liability for network fines after a merchant’s data breach.

A Houston-based liquor-store chain, Spec’s Family Partners Ltd., sued its acquirer, First Data’s First Data Merchant Services unit, over malware on Spec’s payment system in 2012 and 2013 that compromised over 550,000 cards.

Visa Inc. and Mastercard contacted the chain’s sponsor bank, a unit of Citigroup, after getting reports about fraud and card-reissuance expenses resulting from the breach. The card companies determined those costs and assessed them to Citigroup, which in turn passed the bills on to its third-party processor, First Data Merchant Service.

This decision is only binding in the states that comprise the court’s jurisdiction--Tennessee, Kentucky, Ohio, and Michigan.

The ruling could prompt acquirers and merchants to take a closer look at how merchant contracts assign liability for network assessments and data breaches.

“It’s an important decision on those grounds because processors typically are of the view that they can pass on everything from the networks to the merchants,” said Boomstein. “The court is saying that’s not necessarily the case. It depends on the wording of the agreement.”

Read the article here