A legal challenge to the payment card industry's PCI security standards is brewing in the US, as a Utah-based restaurant chain cries foul over the apparently "arbitrary" nature of the system and the level of fines imposed by Visa and MasterCard following an alleged breach of security.
Stephen and Cissy McComb, the owners of Cisero's Ristorante and Nightclub in Park City, Utah, have filed a lawsuit against their merchant acquirer US Bank, which is pursuing the business for $90,000 in fines levied by Visa and MasterCard. The card schemes claim that lax security at Cisero's led to a leak of customer credit card details that were later used to make fraudulent transactions.
US Bank initially seized $10,000 from the restaurant's account and took the McCombs to court to recoup the remaining $80,000 outstanding on the fines. In their countersuit, the McCombs take aim at the card industry's PCI security standards, describing them as an arcane set of rules and regulations that can be rewritten at any time and allow the card schemes to ride roughshod over merchants without any oversight.
In their suit, the McComb's say that Visa and MasterCard have failed to provide any proof that their systems were breached and that the level of fines imposed seemed to have been conjured up out of thin air, describing them as "various shifting numbers based on unexplained calculations".
"The process is little more than a scheme to extract steep financial penalties from small merchants," the suit contends.Finextra verdict
It's a surprise that it has taken so long. Dissatisfaction with the PCI scheme is rampant among merchants, who describe it as a "near scam wrapped in good intentions"
. Visa and MasterCard have every right to insist on high security standards among merchants who accept their cards but, as we've pointed out in the past
, they sometimes seem to be making up the rules as they go along. As Stephen Cannon, an attorney representing the McCombs, puts it: "It's just like Visa and MasterCard are governments. Where do they get the authority to execute a system of fines and penalties against merchants? That's a very important issue in this case." At the moment, merchants like the McComb's have no choice but to sign up to the PCI compliance standards and accept the provisions dictated by the card schemes. If they win their court case, the implications for the future of the PCI scheme - and the security blanket it provides to the payment cards industry - could be very grave.