Genesco Inc., the parent of Journeys and Lids, has filed a lawsuit against Visa, charging the credit-card company with wrongfully taking more than $13 million as punishment for a data breach.
The federal lawsuit was filed in Nashville. The complaint can be found at this link.
The dispute stems from a 2010 breach of Genescos computer system. , Genesco admitted its systems had been breached, stating that the system which copes with payment processing was “hacked,” and that the details of particular cards may have been compromised.
Unidentified hackers inserted malicious software designed to capture card information as it was processed through the network, the suit said. It said the hackers were hoping to exploit a weak link in the transaction approval process: Card data transmitted from the register to banks is not encrypted.
Both Visa and Mastercard charged that Genesco and its connected merchant banks were non-compliant with Payment Card Industry (PCI) standards to allow such breaches to take place, resulting in fees of over $15 million.
But Genesco contends Visa overreacted because there was no evidence that the hackers stole any cardholder information. Regular rebooting of its computer servers erased any data before hackers could retrieve it, it stated.
Genesco also charged Visa violated its contracts with the banks by not following the required procedure before issuing the fines and assessments. The documents points out that merchant banks are not meant to be liable for the recovery of fraudulent transactions unless an “account compromise event” results in the theft of at least 10,000 accounts, and the level of fraud is more than usually accounted for with Visa card use.