Sports retailer Genesco, which operates over 2,400 stores in North America and Europe, has filed a lawsuit against Visa, blaming the company for the considerable penalties imposed on merchants and banks that suffer data breaches.
Genesco’s systems were hacked back in 2010. At the time, the company didn’t provide many details, but it revealed that it had identified packet-sniffing software that could have been used to steal credit card details.
According to court documents
obtained by Wired
, Genesco says that it hasn’t found any evidence that credit card data has been stolen. However, Visa fined Wells Fargo and Fifth Third Financial, the financial institutions in charge of processing transactions at Genesco stores, for noncompliance to Payment Card Industry (PCI) standards.
Initially, Visa fined each of the banks with $5,000 (3,800 EUR), but later demanded an additional $13.3 million (10 million EUR), allegedly to recover the cost of fraudulent transactions and to cover the expenses caused by the breach.
The money was seized earlier this year from the sports retailer’s bank accounts by the financial institutions, which is why Genesco is suing Visa, arguing that the banks should not be liable for the breach.
The retailer argues that Visa imposed penalties despite the fact that less than 10,000 accounts were impacted in the breach, and despite the fact that no PCI violation that allowed the theft to occur was committed, these being the requirements that would have permitted the credit card issuer to take action.
Genesco says that Visa has violated its own rules and procedures.
It’s worth noting that Genesco is the first company to file such a lawsuit. It remains to be seen if others will follow its lead.
Another noteworthy aspect is that Visa is not the only one that imposed fines on Genesco. MasterCard has also demanded $2.3 million (1.8 million EUR), but the credit card company has not been sued, at least not yet.