Are assessments from the credit card networks damages that a merchant should be liable for under its merchant agreement? The U.S. Court of Appeals for the Sixth Circuit affirmed a multimillion-dollar judgment in favor of the merchant, based on the language of its particular merchant agreement.
Spec’s Family Partners, the operator of dozens of liquor stores across Texas, was the victim of attacks on its network through which attackers installed malware and accessed card data. A forensics investigation revealed that at the time of the hacking incident, Spec’s was not in compliance with the Payment Card Industry Data Security Standard (PCI DSS). As a result, Visa and Mastercard issued assessments and passed along issuer reimbursements to the acquiring bank resulting from the security incidents.
The bank in turn debited the money from First Data, the merchant processor for Spec’s. First Data then demanded reimbursement from Spec’s, by withholding the proceeds of the daily settlement for its card transactions and placing them in a reserve account. The reserve eventually totaled $6.2 million.
Consistent with most merchant agreements, Spec’s indemnified First Data for any material breach of its representations, warranties and agreements, as well as for any act or omission that violated card network rules. However, relying on a provision in its merchant agreement that excluded liability for consequential damages, Spec’s alleged that First Data could not withhold the funds. On cross motions for summary judgment, a Tennessee federal court sided with Spec’s.
The district court held that the card brand assessments constituted consequential damages, eliminating liability for Spec’s under the contract. Discounting an alternative theory of liability put forth by First Data, the court further held that the merchant’s liability for “third-party fees and charges” applied to routine charges related to payment processing, not this type of special assessment. The court reasoned that because Spec’s was not liable for the assessment it was not in breach of the agreement, although First Data materially breached the contract when it seized settlement funds to reimburse itself for the card brand assessments, the court held.
First Data appealed. In an unpublished opinion, the Sixth Circuit affirmed. The federal appellate panel first addressed the indemnification and limitation clauses in the contract. Spec’s agreed to indemnify First Data, Visa and Mastercard from and against “any and all claims, demands, losses, costs, liabilities, damages, judgments or expenses arising out of or relating to (i) any material breach by [Spec’s] of its representations, warranties or agreements under this Agreement; [or] (ii) any act or omission by [Spec’s] that violates … any operating rules or regulations of Visa or Mastercard.”
But, the section also contained limitations. It provided that “[i]n no event shall either party’s liability of any kind to the other hereunder include any special, indirect, incidental or consequential losses or damages, even if such party shall have been advised of the possibility of such potential loss or damage.”
Spec’s insisted that the card network assessments passed down to First Data constituted consequential damages, exempting it from liability based on the above exclusion. The court agreed, explaining that “consequential damages,” also referred to as “special damages” by Tennessee courts, are the natural consequences of the act complained of, though not the necessary result.
“Here, the assessments fit comfortably within Tennessee’s classic consequential, or ‘special,’ damages formulation,” the panel wrote. “The data breaches, resulting reimbursement to cardholders and levying of assessments, though natural results of Spec’s PCI DSS non-compliance, did not necessarily follow from it.”
As Spec’s pointed out, a non-compliant merchant might never suffer a data security breach, the court said, and the card brands exercise discretion in issuing assessments, failing to levy them in every situation and never for PCI DSS non-compliance alone, in the absence of a security breach.
“Though certainly a foreseeable consequence of weak data security, the issuance of assessments nevertheless constitutes consequential damages because it did not necessarily follow from Spec’s Family’s non-compliance,” the court said. “Thus, First Data retains liability for the assessments under section 15(d) of the Merchant Agreement.”
The panel rejected First Data’s argument that an unbroken line connected Spec’s data security non-compliance and liability for the assessments, reiterating that the card brands exercise “considerable discretion” in imposing assessments following a breach, reducing and waiving assessments in some cases.
Nor was the court persuaded by the fact that Visa assessed Spec’s a separate $10,000 fine for PCI DSS non-compliance. “Visa issued that fine solely for non-compliance and regardless of the criminal attack, thus distinguishing it from the assessments,” the court said.
First Data also presented an alternative argument for liability based on a different section of the merchant agreement. However, the panel again sided with Spec’s. The clause required Spec’s to pay “any and all third-party fees and charges associated with the use of [First Data’s] services, as modified from time to time, including without limitation all telecommunications costs … and all Network fees and charges.”
First Data contended that “third-party fees and charges” include the assessments. However, the court noted the prefatory phrase “associated with the use of [First Data’s] services” and ruled that the PCI and data breach assessments are not associated with First Data’s processing services, but rather relate to reimbursement for liabilities passed down the payment card chain, the panel said. Unlike the telecommunications costs and network fees, which are specific examples of pass-through fees listed in the clause, “the assessments constitute unique, one-off liabilities that the parties do not ‘modif[y] from time to time.’”
The U.S. Court of Appeals, Eighth Circuit, in a 2017 decision also stemming from a merchant’s data breach, similarly held that damages from card network assessments sought by the merchant processor First Data were subject to the cap on liability contained in the merchant’s agreement. Also evaluating a limitation of liability clause, that court considered whether the card network assessments fell into the broad category of “fees, fines or penalties” for which the merchant would have been subject to a higher liability cap. Again holding in favor of the merchant, the court determined that the assessments (issuer reimbursements) were compensation for an injury, but not fees, fines or penalties based on the plain meaning of those terms.
Finding that Spec’s was not liable for the assessments, the appellate panel affirmed that First Data was the first to materially breach the contract by withholding settlement funds owed to Spec’s. Spec’s PCI DSS non-compliance was an immaterial breach, the Sixth Circuit wrote, as it fell short of “substantially defeat[ing] the contract’s purpose.”
The parties continued to perform under the merchant agreement after the security breach, demonstrating that even First Data did not consider the lack of PCI compliance vital to the existence of the contract, the court noted. “PCI DSS compliance served as a promise peripheral to the central benefit First Data expected – payment for its processing services,” the panel wrote. “Moreover, following the attacks, Spec’s investigated the breaches and took several steps to achieve full PCI DSS compliance, including segmenting off its payment card server and upping the account data encryption level.” On the other hand, First Data’s withholding of the settlement funds “deprived Spec’s of its principal expected benefit under the contract—First Data’s faithful execution of processing services.”
The Sixth Circuit affirmed summary judgment in favor of Spec’s, along with an order to refund the money in the reserve account, plus interest.
To read the opinion in Spec’s Family Partners v. First Data Merchant Services, LLC, click here.
Why it matters
The decision is a victory for Spec’s, and combined with a consistent ruling by the Eighth Circuit, these cases may provide favorable authority for other merchants whose agreements, whether with First Data or another processor, contain a similar limitation of liability clause. The most important takeaway for merchants, however, is that contract language matters, and careful review and negotiation could have a meaningful positive impact on the merchant.