A Long Road Ahead for Genesco in Visa PCI DSS Case

The judge overhearing the Genesco v. Visa PCI DSS trial has issued an order denying Genesco’s request for partial summary judgment, “without prejudice to renew after a reasonable period of discovery,” leaving a lot to be considered in their case.

An athletic apparel retailer with almost 2,500 stores around the world, Genesco was infiltrated by hackers who allegedly tracked card data from customers of the retailer for a full year between December 2009 and 2010. Visa, claiming it to be one of the largest security breaches in VISA’s history, charged Genesco a cool $13.2 million dollars in PCI DSS noncompliance fees.

Genesco, however, feels that they should be reimbursed for the fines, citing among other reasons, that at the time of the breach and at all other relevant periods, Genesco was actually in compliance with PCI DSS regulations.

Genesco motioned for judgment over the case as a matter of law, hoping that the judge would find the fines violated Genesco’s acquiring banks’ contracts with Visa, the California (Visa’s headquarters) Unfair Business Practices Act, or unjustly enriched Visa.

While the judge did not grant this request, the case is certainly far from over, as the judge had also denied Visa’s earlier attempt to dismiss Genesco’s claims. The battle now, it seems, will be over whether or not Visa is entitled to documents regarding Genesco’s PCI DSS compliance both before and after the incident (Genesco feels that Visa is only entitled to compliance documents related to the fines Visa imposed on the retailer) and whether or not Visa will be able to justify fines based on noncompliance that could have theoretically led to the attack.

Once these factors are sorted out, Genesco may be able to motion for a partial summary judgment once again—should they still want to.

The case brings to light a few criticisms over PCI DSS compliance. Many find that PCI DSS compliance only covers the bare minimum in security standards, with some going as far to say it is merely a tool used by credit card companies to gain revenue through fines. It may be interesting to see if Genesco was in fact infiltrated while under compliance, and what impact this will have over the fines charged by Visa. Regardless of the outcome, it should be noted that security is obviously an extremely important aspect for all vendors. And while meeting PCI DSS compliance standards may or may not be enough to keep customers safe from security breaches, doing so certainly won’t cost you $13 million dollars.

The Genesco v. Visa trial is scheduled to begin July 22, 2014.