Are credit card network ratings damage for which a merchant should be liable under their merchant contract? The United States Court of Appeals for the Sixth Circuit upheld a multi-million dollar judgment in favor of the trader, based on the language of its particular trade agreement.
Spec’s Family Partners, the operator of dozens of liquor stores across Texas, has been the victim of attacks on its network in which attackers installed malware and accessed card data. A forensic investigation revealed that at the time of the hacking incident, Spec’s was not in compliance with the Payment Card Industry Data Security Standard (PCI DSS). As a result, Visa and Mastercard issued assessments and forwarded refunds from the issuer to the acquiring bank resulting from the security incidents.
The bank in turn debited the money from First Data, Spec’s merchant processor. First Data then demanded reimbursement from Spec’s, withholding the proceeds from the daily settlement of its card transactions and placing it in a reserve account. The reserve ultimately totaled $ 6.2 million.
In accordance with most commercial agreements, Spec’s indemnified First Data for any material breach of its representations, warranties and agreements, as well as for any act or omission that violates the rules of the card network. However, relying on a provision in its merchant contract that excluded liability for consequential damages, Spec’s alleged that First Data could not withhold the funds. On the cross-motion for summary judgment, a federal court in Tennessee sided with Spec’s.
The district court ruled that the card brand evaluations constituted collateral damage, eliminating Spec’s liability under the contract. Disregarding an alternative theory of liability put forward by First Data, the court further ruled that the merchant’s liability for “third party charges and fees” applied to routine fees associated with processing payments, not to this type of special assessment. The court ruled that because Spec’s was not responsible for the valuation, it had not breached the agreement, although First Data materially breached the contract by seizing the settlement funds to reimburse itself for the valuations of the card brand, the court ruled.
First Data appealed. In an unpublished opinion, the Sixth Circuit affirmed.
The federal appeal committee first looked at the indemnification and limitation clauses of the contract. Spec’s has agreed to indemnify First Data, Visa and Mastercard from and against “all claims, demands, losses, costs, liabilities, damages, judgments or expenses arising out of or relating to (i) any material breach by [Spec’s] its representations, warranties or agreements under this Agreement; [or] (ii) any act or omission of [Spec’s] that violates… any rules or regulations governing the operation of Visa or Mastercard. “
But, the section also contained limitations. He predicted that “[i]Under no circumstances will the liability of any kind of either party towards the other hereunder include any special, indirect, incidental or consequential loss or damage, even if that party has been informed of the possibility of such potential loss or damage. “
Spec’s insisted that the card network ratings provided to First Data constituted collateral damage, exonerating it from any liability based on the above exclusion. The court agreed, explaining that “consequential damages,” also called “special damages” by the courts in Tennessee, are the natural consequences of the act complained of, but not the necessary result.
“Here, the assessments fit comfortably into the classic Tennessee wording of consequential or ‘special’ damage,” the panel wrote. “Data breaches, which result in reimbursement of cardholders and the imposition of contributions, although Natural Spec’s PCI DSS non-compliance results, did not necessarily resulting.
As Spec’s pointed out, a non-compliant merchant might never experience a data security breach, the court said, and card brands are exercising their discretion in issuing ratings, failing to take them. in all situations and never for the sole non-compliance with PCI DSS, in the absence of a security breach.
“While this is certainly a foreseeable consequence of poor data security, issuing reviews nonetheless constitutes indirect damage as it does not necessarily result from Spec’s Family’s non-compliance,” said declared the court. “As such, First Data retains responsibility for assessments under section 15 (d) of the Merchant Agreement. “
The panel rejected First Data’s argument that an unbroken line connected Spec’s breach of data security and its liability for ratings, reiterating that card brands exercise “great discretion” to impose ratings. as a result of a violation, reducing and voiding ratings in some cases.
The court was also not persuaded that Visa imposed a separate fine of $ 10,000 on Spec for PCI DSS non-compliance. “Visa imposed this fine only for non-compliance and regardless of the criminal attack, thus distinguishing it from assessments,” the court said.
First Data also made another argument for liability based on a different section of the merchant agreement. However, the panel again sided with Spec. The clause required Spec’s to pay “all third party fees and charges associated with the use of [First Data’s] services, as modified from time to time, including, without limitation, all telecommunications costs… and all network fees and charges.
First Data argued that “third party fees and charges” include assessments. However, the court noted the opening sentence “associated with the use of [First Data’s] services ”and decided that PCI assessments and data breaches are not associated with First Data’s processing services, but rather relate to reimbursement of liabilities passed along the payment card chain, the panel said. Unlike telecommunications costs and network charges, which are specific examples of pass-on charges listed in the clause, “valuations are one-time, one-time liabilities that the parties do not change”[y] sometimes.'”
The United States Court of Appeals, Eighth Circuit, in a 2017 ruling also arising out of a merchant data breach, also held that the damages resulting from the card network ratings requested by the merchant’s processor First Data were subject to the liability limit contained in the merchant’s agreement. Also evaluating a limitation of liability clause, this tribunal examined whether the assessments of the card network fell into the broad category of “fees, fines or penalties” for which the merchant would have been subject to a higher limit of liability. Ruling again in favor of the merchant, the court determined that the contributions (refunds to the issuer) were compensation for harm, but not costs, fines or penalties based on the ordinary meaning of those terms.
Finding that Spec’s was not responsible for the valuations, the Appeal Board asserted that First Data was the first to materially breach the contract by withholding settlement funds owed to Spec’s. Spec’s PCI DSS non-compliance was a trivial violation, Sixth Circuit wrote, as it failed to achieve “substantial defeat.”[ing] the subject of the contract.
The parties continued to operate under the trade agreement after the security breach, demonstrating that even First Data did not view the lack of PCI compliance as essential to the existence of the contract, the court noted. “PCI DSS compliance has served as a peripheral promise to the core benefit expected by First Data – payment for its processing services,” the panel wrote. In addition, following the attacks, Spec’s investigated the breaches and took several steps to achieve full PCI DSS compliance, including segmenting its payment card server and increasing the level of encryption of account data.
On the other hand, First Data’s withholding of settlement funds “deprived Spec’s of its main expected benefit under the contract: the faithful performance of processing services by First Data.”
The Sixth Circuit upheld the summary judgment in favor of Spec, as well as an order to repay the money from the reserve account, plus interest.
To read the notice in Spec’s Family Partners v. First Data Merchant Services, LLC, Click here.
Why is this important
The ruling is a victory for Spec’s, and combined with a consistent Eighth Circuit ruling, these cases may provide favorable authority for other traders whose agreements, whether with First Data or another processor, contain a clause of similar limitation of liability. The most important takeaway for traders, however, is that the language of the contract is important, and careful consideration and negotiation could have a significant positive impact on the trader.