informa
2 min read
article

Genesco Sues Visa Over $13 Million In PCI Noncompliance Penalties

Retailer says noncompliance fines exacted by Visa following breach were out of bounds
Retail giant Genesco is suing Visa over a fine of more than $13 million that the credit card firm exacted for noncompliance with PCI guidelines following a breach in 2010.

According to a report and court documents posted by Wired magazine, Genesco is alleging that Visa's practice of levying fines through merchant bank accounts was unfair under California law, where Visa is based.

Visa is a primary enforcer of the Payment Card Industry Data Security Standard (PCI), which outlines security standards that must be maintained by merchants that accept credit card payments. Merchants that fail to comply with the security guidelines outlined under PCI are subject to fines by credit card firms or the loss of their ability to accept credit cards.

Genesco's lawsuit is the first to challenge Visa's practices for enforcing a major noncompliance penalty.

Genesco suffered a data breach in 2010, and Visa collected $5,000 fines from all of its merchant banks, many of which extracted the money from Genesco's accounts, according to the Wired report. Visa collected more than $13.3 million in penalties, and MasterCard extracted approximately $2.3 million.

According to court documents posted by Wired (PDF), the lawsuit alleges that Genesco's breach did not constitute a major violation of PCI compliance rules outlined by Visa, but the credit card firm exacted the fines anyway.

Visa did not respond to Wired's request for a comment.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.