The American Bankers Association yesterday filed an amicus brief in the Texas state court case of Visa v. Sally Beauty Holdings. In the brief, ABA offered support for Visa’s merchant data breach compensation program, which reimburses card-issuing banks for costs incurred because of a merchant data breach. After retailer Sally Beauty was breached twice in rapid succession, it sought to escape its obligations to compensate banks and credit unions, on the grounds that the payments were an illegal contractual penalty.
Earlier in the case, a district court granted Sally Beauty’s motion for summary judgment to waive its obligations to card-issuing banks, and Visa appealed. In today’s brief, ABA noted in the brief that Visa had a defensible rationale for its Global Compromised Account Recovery program, which “protects cardholders by requiring acquiring banks to ensure their merchants take commonsense precautions to secure their customers’ card numbers—measures that, if followed, virtually eliminate the risk that cardholders will suffer harm from data breaches of merchant card acceptance systems.”
“If the lower court is correct, and the GCAR Assessment is an illegal contractual penalty, then merchants can simply delete the GCAR Assessment from their contracts at their pleasure,” ABA wrote. “That will strike a blow to the entire GCAR Program and upset settled expectations of all the players in Visa’s payment-processing network. It will make cardholder data less secure. It will force banks, and ultimately their customers, to absorb losses for data breaches they did not cause and could not prevent. It will compel changes to mutually agreed-upon, industry-standard practices that have governed card-payment networks nationwide for nearly a decade. And it could threaten the very integrity of Visa’s payment system.”