It’s all fun and games until someone gets sued. Just a few weeks ago, news broke that credit card processor Chase Paymentech filed a breach-of-contract lawsuit against Landry’s in the U.S. District Court of Houston. The charge? A failure to comply with PCI DSS and secure P2PE processing requirements. Follow along as we examine the lawsuit, discuss the possibility of litigation in the wake of a breach, and outline how you can ensure that it will never happen to your university.
Once upon a time
If you think lawsuits get served as quickly as data breaches, think again. The claims filed against the hospitality company trace all the way back to December 2015, when investigations uncovered a substantial compromise involving “numerous Landry’s properties in several states”. Per the lawsuit, millions of credit card accounts were affected between May 2014 and December 2015 across at least 14 brands, including Bubba Gump Shrimp Co. and Rainforest Cafe. Visa and Mastercard determined that Chase Paymentech was liable for the data breach losses as the processor, triggering a domino effect. After paying each of the payment card networks $12.7M and $7.4M respectively, Chase Paymentech subsequently claimed that Landry’s was contractually obligated to reimburse them.
Why? A failure “to comply with multiple Payment Card Industry Data Security Standards“.
However, Landry’s general counsel Steve Schiental disagrees. “Since Chase Paymentech’s parent JP Morgan Chase would be the ultimate beneficiary of a substantial portion of the assessments if they are collected from Landry’s, Chase Paymentech would rather capitulate to the demands of the powerful credit card brands than stand up for its merchants by taking action to challenge Visa’s and MasterCard’s unlawful practice in imposing these assessments. We won’t stand for that and have retained the law firm of Ropes and Gray to defend Chase Paymentech’s claims against Landry’s and put a stop to this unlawful practice of Visa and MasterCard.”
In other words, throw on a suit, because it’s time to go to court.
A battle of nerves
When Scheinthal mentioned capitulating “to the demands of the powerful credit card brands”, he was citing an ongoing, highly controversial debate about the proverbial tug-of-war between networks, processors, and merchants regarding payment card fraud liability.
Formerly considered a “victimless” crime due to consumers being largely unaffected, payment card fraud has become a growing concern as it continues to grow in size and impact. No longer willing to shoulder the burden of losses alone, banks and processors are contending that merchants should have done more to proactively detect and prevent breaches in the first place. In the past, they’ve pointed to delays in merchant EMV migration, but it’s clear that the new pain point is PCI DSS compliance, coupled with P2PE processing.
Path of least resistance
If your campus hosts payment processing avenues, whether it be stadiums, dining halls, coffee shops, or more, there’s a good chance that our common enemy, the higher education hacker, is lurking around. Instead of waiting to be sued and make data breach headlines, you can partner up with us to integrate state-of-the-art solutions that are PCI and P2PE compliant. As the team on your team, we know your unique journey and support your cause.
Want to see for yourself? Download the case study to learn how we transitioned Northwestern University to a secure, cost-effective electronic payment system without any interruption to ongoing business processes.