Stephen and Cissy McComb say they managed their Italian eatery in Park City, Utah, for more than two decades without running afoul of security rules of Visa Inc. (V) and MasterCard Inc. (MA) -- until they were accused of mishandling data and opening the door to $1.26 million in fraud.
The McCombs, who opened Cisero’s in 1985, are now in a legal fight with the bank that processed their credit charges and, indirectly, with what they say are card networks that change rules without notice, impose unfair one-sided contracts and allow the taking of money from merchants’ accounts with no proof of fault.
The couple sued, saying they didn’t break MasterCard and Visa rules, that there was no security lapse and that no acts of fraud were specifically claimed. The fraud was conjured from unexplained and unsupported data, they said in court papers filed in state court in Park City. Their suit may be the first court challenge to penalties under the card networks’ security procedures, said one of their lawyers, W. Stephen Cannon.
It’s rare for banks and their processors to file a lawsuit against a merchant, lawyers said.
“This case has the potential to send the message that merchants can stick up for themselves in these relationships and demonstrate that they’re correct and the bank has it wrong,” said Douglas Kantor, a lawyer at Steptoe & Johnson LLP in Washington who isn’t involved in the litigation. “Merchants essentially live in fear that they will be crushed by the card companies and banks if there’s ever a dispute, and therefore don’t dispute most of these things.”
Kantor is counsel to the Merchants Payments Coalition, a group of more than 100 trade associations.
The McCombs aren’t alone in criticizing payment-card industry, or PCI, rules, said Mallory B. Duncan, general counsel of the National Retail Federation in Washington.
“There’s a suspicion among many merchants that PCI is a near scam wrapped in good intentions,” Duncan said by phone from Washington. “The dissatisfaction with PCI and the financial consequences of it in the retail industry are rampant.”
US Bancorp is a middleman in Cisero’s credit business, out of sight of customers who may be aware only of Visa, MasterCard and the banks that issue the cards. Worldwide spending on Visa debit and credit cards in the quarter ended Sept. 30 was $970 billion. Worldwide spending on MasterCard- and Maestro-branded cards was $469 billion.
More than 8 million U.S. merchants accept Visa and MasterCard, said David Boies, an attorney for American Express Co., according to a company transcript of an October 2010 conference call with analysts and reporters.
As the so-called acquiring bank, US Bank provided Cisero’s with access to payment networks and maintained an account from which it paid the restaurant for credit-card purchases, the McCombs said. Elavon processed the payments.
Teri Charest, a spokeswoman for US Bancorp, said in an e-mail that the bank denied any liability will fight the lawsuit.
The dispute is the latest in the contentious relationship between merchants and the card networks.
In 2003, in a suit brought by Cannon’s firm, New York-based Constantine Cannon LLP, Visa and MasterCard agreed to pay $3 billion to settle claims they overcharged on debit-card swipe fees.
Merchants last year successfully lobbied for federal legislation limiting the debit fees. Trade groups and merchants including the National Restaurant Association have filed an antitrust suit against the networks in federal court in Brooklyn, New York that is still pending.
Cisero’s, which does about $2 million a year in business, is on Main Street in Park City, a onetime silver-mining town that’s home to ski resorts and Robert Redford’s Sundance Film Festival, the largest U.S. showcase for independent movies.
The restaurant, decorated in earth colors, has high-backed upholstered booths in the dining room and a club with dancing in the basement. The pasta is made from scratch.
US Bancorp told Cissy McComb in March 2008 that credit cards used at the restaurant may have been fraudulently used elsewhere, according to court papers. It was the first she learned of the card networks’ latest rules, Cissy McComb said.
“We find ourselves in a position to do nothing but defend ourselves and try to change the way merchants are treated,” she said.
Visa and MasterCard require the merchant to hire an approved forensic examiner to investigate if an “account data compromise” event occurred when they determine there may have been a breach.
After the networks said cards fraudulently used in the area had been used at Cisero’s, the restaurant had separate investigations done by two examiners. They showed that no one hacked into the restaurant’s computers, the McCombs said in court papers.
Unknown to them, data on 8,107 customers’ accounts had been stored in their computer system, they said. That was fewer than the 10,000 threshold for a fine to be imposed under Visa’s rules that certain customer data shouldn’t be stored on a merchant’s computer, they said.
Visa later said 32,581 accounts were on Cisero’s computer, without explaining how it got that number, according to the McCombs.
MasterCard and Visa said Cisero’s violated their security standards. They fined US Bancorp, which is seeking to recoup the money from the restaurant in its lawsuit.
Visa decided the “actual fraud” was $1.26 million and calculated Cisero’s total liability for noncompliance at $1.33 million, according to court papers. The restaurant’s “total pre-cap liability” was put at $511,513, the couple said in court papers, and ultimately Visa said Cisero’s owed $55,000.
“These various shifting numbers based on unexplained calculations” show that the “process is little more than a scheme to extract steep financial penalties from small merchants,” Cisero’s said in court papers.
MasterCard said it could assess $100,000 against the restaurant but was imposing only $15,000, they said. The card company later added $13,850 in loss claims by issuing banks based on fraudulent cards supposedly made with data stolen from Cisero’s system, the McCombs said.
The couple denied any data was stolen from their system and “were never given a meaningful opportunity to provide evidence,” they said.
Denise Dunckel, a spokeswoman for San Francisco-based Visa, and James Issokson, a spokesman for Purchase, New York-based MasterCard, declined to comment on the lawsuit. Their companies aren’t defendants in the case.
In September 2008, the McCombs found that US Bancorp was taking money from its account, they said, with deductions eventually reaching $10,172. To prevent further seizures, they closed the account and found a new bank and processor, they said.
“It was at the end of the month and we had to pay our payroll,” Cissy McComb said. “Elavon was taking every dollar out of the account.”
US Bancorp sued to recoup the $82,692 it said it was owed and the restaurant refused to pay after it “failed to secure and keep safe the credit-card information of individuals who made charges at Cisero’s,” the bank said.
“Unauthorized charges were made on some credit cards which had previously been used to make purchases at Cisero’s,” US Bancorp said in its complaint.
In its countersuit, Cisero’s asked for the withdrawn money and damages for loss to reputation and emotional distress for Cissy McComb. Under contract law, US Bancorp isn’t allowed to impose fines, the McCombs said in court papers.
When the restaurant and US Bancorp entered their first contract, “arcane operating rules -- over 1,000 pages in length -- were not publicly available to merchants and did not contain provisions on data security,” the McCombs said in their complaint.
The couple said they had no chance to negotiate over terms and no choice but to sign.
“Restaurants must be able to accept electronic payments from Visa and MasterCard to stay in business,” they said in the complaint. Not accepting customers’ cards “is simply not an option for Cisero’s.”
The restaurant also said the requirement that merchants indemnify banks for penalties gives US Bancorp no incentive to fight allegations by the payment networks. It asked the court to rule it doesn’t have to reimburse the bank.
“At no time has Elavon, US Bank, Visa, MasterCard or any other entity proven that a data breach occurred at Cisero’s, that card issuers actually suffered fraud losses or that any such losses were caused by a data breach at Cisero’s,” the restaurant said in court papers.
The bank asked Judge Keith Kelly in Park City to dismiss part of the restaurant’s complaint. He hasn’t ruled.
“The case is unusual because the banks and their processors rarely get to the point where they actually file a suit against the merchant,” said Scott DeFife, head of government affairs for the National Restaurant Association in Washington.
“Because they did, it allowed Cisero’s to answer back, ‘Prove it and show us your math.’”
The case is Elavon Inc. v. Cisero’s Inc., 100500480, Utah Third Judicial District Court, Summit County (Park City).
To contact the reporter on this story: Thom Weidlich in Brooklyn, New York, federal court at email@example.com.
To contact the editor responsible for this story: Michael Hytha at firstname.lastname@example.org.