January 12, 2012 - A legal challenge to the payment card industry's PCI security standards is brewing in the US, as a Utah-based restaurant chain cries foul over the apparently "arbitrary" nature of the system and the level of fines imposed by Visa and MasterCard following an alleged breach of security. Stephen and Cissy McComb, the owners of Cisero's Ristorante and Nightclub in Park City, Utah, have filed a lawsuit against their merchant acquirer US Bank, which is pursuing the business for $90,000 in fines levied by Visa and MasterCard. The card schemes claim that lax security at Cisero's led to a leak of customer credit card details that were later used to make fraudulent transactions.
US Bank initially seized $10,000 from the restaurant's account and took the McCombs to court to recoup the remaining $80,000 outstanding on the fines. In their countersuit, the McCombs take aim at the card industry's PCI security standards, describing them as an arcane set of rules and regulations that can be rewritten at any time and allow the card schemes to ride roughshod over merchants without any oversight.
In their suit, the McComb's say that Visa and MasterCard have failed to provide any proof that their systems were breached and that the level of fines imposed seemed to have been conjured up out of thin air, describing them as "various shifting numbers based on unexplained calculations".
"The process is little more than a scheme to extract steep financial penalties from small merchants," the suit contends.