PCI Compliant Companies May Have Legal Protection Against Credit Card Companies Despite Suffering a Data Breach.
Last month, a federal district court in Tennessee denied a motion to dismiss a case brought by retail store operator Genesco Inc. against Visa for $13.3 million in fines that Visa against Genesco following a data breach. The breach at issue involved the use of malware by hackers to capture unencrypted credit card data. Visa claims that every credit card processed by Genesco during the breach period of December 2009 to December 2010, therefore, was compromised. Visa then imposed a contractually-imposed, multi-million dollar fine on Genesco, which it executing by causing Genesco’s bank to withdraw the money from Genesco’s accounts.
Genesco claims that the company was PCI compliant and that no violations of the Payment Card Industry Data Security Standards occurred. Genesco further argues that forensic evidence shows that payment card security was never actually compromised by the malware and so no actual harm was caused by the breach. Therefore, Genesco argues, the contractual provision in the standard Visa-retailer contract allowing for imposition of the fines was not triggered.
Visa moved to dismiss Genesco’s claims, but the court denied the motion, stating that Visa’s assessment of fines against Genesco following the breach “lacked a factual basis” and “were contrary to the forensic evidence about the effects of the cyber-attack on Genesco’s computer system.”
Like other retailers, members of the hospitality industry are often victims of cyber-attacks. And like Genesco, hoteliers may find themselves subject to heavy contractual fines by the major credit card companies anytime a breach occurs. A robust PCI compliance program can help mitigate against the legal and financial consequences of such attacks. And the most effective PCI training programs for hotels are those that include custom learning solutions, such as PCI compliance training modules and similar training on best practices for using hospitality technology.
The Venza Group has partnered with Arnall Golden Gregory (AGG) to create a series of interactive eLearning modules to address PCI compliance in the hotel industry. Management, employees and IT are taught about the requirements they must support as part of the Payment Card Industry Data Security Standards. The Venza Group also is partnering with AGG to create an interactive eLearning module to train hoteliers on general privacy and security awareness issues.
Citation: Genesco Inc. v. Visa USA Inc., et al., Case No. 3:13-cv-00202 (M.D. Tenn. July 18, 2013)