DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

The merchant strikes back: Cisero’s sues processor and bank over pass-along fines following alleged breach

Posted on January 9, 2012 by Dissent

There’s an interesting lawsuit to watch in Utah. The owner of Cisero’s in Park City is suing their payment processor and bank for deducting money from their account after card issuers fined them over an alleged breach of the restaurant’s system.

The case stems from  a March 2008 incident. According to Cisero’s, Visa had notified them that they appeared to be the common point of compromise in a situation involving credit card fraud  and that they needed to bring in forensic investigators.  Two independent forensic investigations found that the restaurant had unknowingly stored credit card numbers, but there was no clear evidence of any actual breach.  Despite the absence of confirmation of any breach that could account for customers’ fraudulent charges elsewhere, Visa ultimately fined U.S. Bank, the acquiring bank.  Elavon, the payment processor, is a unit of U.S. Bank.

Thom Weidlich provides the background on the case on Bloomberg.

At issue here is that the restauranteur’s claim that there was no evidence that they had been hacked, Visa didn’t prove that there had been a compromise of their system that resulted in fraud, and that although they had unknowingly stored over 8,000 card numbers, that number was below the contractual threshold to trigger fines.  The owners had been sued by Elavon for over $82,000 in fines that Visa and MasterCard had levied.  The owners countersued in August.

“At no time has Elavon, US Bank, Visa, MasterCard or any other entity proven that a data breach occurred at Cisero’s, that card issuers actually suffered fraud losses or that any such losses were caused by a data breach at Cisero’s,” the restaurant said in court papers.

The owners also allege that U.S. Bank never provided any information or support to assist them in staying secure and PCI-DSS compliant, and that rules were unilaterally changed without notice or consent over time.

Some of their suit seems strikes me as buyer’s remorse. They signed a contract that permitted some of these things to occur. Was it a lousy contract? Probably. Were there documents that they weren’t even provided before they signed the contract? It seems so. But what it may boil down to is that they did sign a contract. So what part of the contract did the bank and processor actually breach? Their strongest arguments appears to be that they were not notified of the fine, as required by the contract, in time for them to file a timely appeal and that Visa ascribed losses to a breach without justifying their numbers – particularly since there was no proof any breach had even occurred. I think their claim that the acquiring bank failed to provide them with information and support to remain compliant is also worth pursuing, but without the language of the contract to determine the bank’s contractual obligations to them, I’m not sure where that will go.

Visa is not a defendant in this law suit, but they are the elephant in the room.

You can read the payment processor’s lawsuit against the restaurant and the countersuit against the processor and acquiring bank, courtesy of Bloomberg.  See what you think. Do you think they stand a chance of prevailing?

Category: Business SectorCommentaries and AnalysesOf Note

Post navigation

← Israel’s hacker avengers: We’ve obtained Saudi credit card info
When Does HIPAA Apply to Banks? →

2 thoughts on “The merchant strikes back: Cisero’s sues processor and bank over pass-along fines following alleged breach”

  1. Jagfrisco says:
    January 9, 2012 at 7:54 pm

    I read the countersuit, and I think this customer will have her day in court and that she will prevail. I don’t think at all that this is a case of “buyer’s remorse”, as you call it. I believe the jury will find that the “contract” was unenforceable, because of so many reasons. Right now, merchants are left out to hang by their processor who knows, that if there is a breach, they can always pass along any fines. They have no incentive to help their merchants. The rules are so complex, anymore, that a small merchant has no chance of ever being data-secure or PCI-compliant, anyway.

    1. admin says:
      January 9, 2012 at 8:14 pm

      I hope you’re right. I think if it gets to a jury, a jury will align with the restauranteur against the “big guns,” but I don’t know contract law (or any other law, for that matter!). But yes, I do think some of this is “buyer’s remorse” because merchants sign these contracts aware of certain provisions that they don’t like, but feel they have to sign if they want to take credit cards. So you sign on the line and then regret it, but that by itself doesn’t make the contract unenforceable. I look forward to seeing what happens in this case, although I wouldn’t be surprised if it settles, either.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch (1)
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.