Elavon Gets Sued Over Excessive PCI Compliance Fees
In case you missed it, Wired magazine recently published an interesting story about the owner of a restaurant called “Cisero’s” in Utah that is suing Elavon over PCI compliance fines.
The problem started when U.S. Bank (Elavon’s parent company) was fined $90,000 by Visa and MasterCard, who alleged that Cisero’s had not secured its network and experienced a data breach that resulted in fraudulent transactions on a few of its customers cards. In reaction, U.S. Bank debited Cisero’s checking account of $10,000 without notice and then filed a lawsuit against Cisero’s owners (Stephen and Theodora “Cissy” McComb) to obtain the remaining $80,000, stating that their merchant account contract makes them responsible for such fines.
The McCombs have filed a countersuit against U.S. Bank alleging that the bank deceives merchants into signing unfair contracts that allow it to arbitrarily change terms without notice, impose random fines without clear explanation, and refuse merchants a chance to dispute fines before the money is taken from them. As any experienced merchant knows, these types of contracts are not limited to just Elavon or U.S. Bank, but are a standard practice in the credit card processing industry.
At the heart of the issue is the controversial PCI Compliance Security Standards Council, an internally created organization within the industry that dictates data security standards with which merchants must comply when accepting credit cards. Providers such as Elavon are held responsible for the security vulnerabilities of their merchant customers and incur costs for undergoing periodic audits. However, nearly all providers pass this liability onto their merchant customers in their merchant account agreements, thereby indemnifying themselves completely. Many providers also charge merchants annual fees to cover their PCI compliance costs, but often these fees are marked up at huge profit and go far beyond simply covering additional costs. It is common for merchants to be told that that the infamous “PCI Compliance Fee” is a government-mandated fee which is required to be passed onto the merchant; however, this is nothing more than a complete falsehood.
Cisero’s lawsuit brings into question whether or not VISA and MasterCard should have the authority to impose fines and penalties on merchants as though they are a government agency. This is especially important considering that the fines are forcefully taken without any proof supplied to the merchant of security issues or breaches, or with any recourse for the merchant to appeal the fines. Cisero’s serves as a prime example and has reported that no evidence has been supplied regarding its alleged breach. The owners have also received little to no cooperation in resolving the issue.
Successful litigation could open the doors for other merchants who have been wrongly fined and force a change in PCI Compliance policies. What do you think? Are PCI Compliance fees reasonable in cost? Are the policies regarding PCI fair to merchants? Do you have a PCI compliance horror story like Cisero’s? Tell us your thoughts in the comment section below.
View Cisero’s court filing.