August 07, 2014 Articles

Payment Processor's "In-House" Data Security Compliance Program Under Attack

No good deed goes unpunished: payment processors could face antitrust and unfair competition liability risks when offering PCI compliance services to their merchants

by Edward A. Marshall

In the wake of recent and highly publicized data breaches involving payment card information, businesses accepting payment cards (or "merchants") are becoming increasingly sensitive to ensuring compliance with applicable data security guidelines, known as the Payment Card Industry Data Security Standard, or PCI DSS. After all, if a merchant suffers a data breach due to its failure to adhere to PCI standards, it can face staggeringly large liability assessments from card brands, such as Visa and MasterCard, associated with resultant payment card fraud.

For years, PCI compliance service vendors, which receive certification by the PCI Council—a body originally formed by American Express, Discover, JCB, MasterCard, and Visa—have assisted merchants with ensuring their fidelity to PCI DSS. To gain access to these merchants, such service vendors frequently collaborate with payment card processors and acquirers, i.e., the entities that contract with individual merchants and/or independent sales organizations (ISOs) and facilitate the authorization and payment of card transactions.

More recently, however, certain processors have developed their own "in-house" PCI compliance programs, which they provide to certain merchants for a fee. One such program offered by First Data recently came under attack in litigation involving a service vendor with which First Data had historically contracted to provide PCI compliance services.

The First Data Case
Specifically, in First Data Merchant Services Corp. v. SecurityMetrics, Inc. , No. RDB-12-2568 (D. Md. Nov. 12, 2013), First Data brought suit against its former service vendor, SecurityMetrics, claiming that SecurityMetrics had engaged in a campaign of false advertising and unfair business practices against First Data following the termination of the parties' contractual relationship. SecurityMetrics counterclaimed, contending that First Data's recently introduced and competitive PCI compliance service solution, "PCI Rapid Comply," was unlawful for a host of reasons. The district court rejected First Data's arguments that several of these counterclaims should be dismissed for failure to state a claim—a decision that may give other processors pause as they seek to implement similar in-house PCI compliance solutions.

Among other things, SecurityMetrics alleged that First Data's use of the phrase "PCI" in the title of its program was likely to cause merchants to incorrectly perceive First Data's program as one explicitly endorsed by the PCI Council, when that was not the case. According to SecurityMetrics, this "false endorsement" violated § 43 of the Lanham Act.

First Data argued that the claim should be dismissed because SecurityMetrics owned no mark confusingly similar to First Data's "PCI Rapid Comply" mark, and thus, from First Data's perspective, SecurityMetrics lacked standing to pursue a Lanham Act claim. The court disagreed. Rather, it held that persons with standing under § 43 of the Lanham Act extended beyond holders of similar marks. According to the court, because § 43(a)(1) of the Lanham Act, 15 U.S.C. § 1125(a), defines a potential plaintiff as "any person who believes that he or she is or is likely to be damaged by [the defendant's] act," SecurityMetrics—which had alleged "damage[] to its commercial interests and its ability to stay competitive in the marketplace"—pleaded facts sufficient to support its standing. First Data, No. RDB-12-2568, slip op. at 16.

What is more, the court declined to dismiss counterclaims brought by SecurityMetrics alleging an unlawful restraint on trade in violation of § 1 of the Sherman Act, 15 U.S.C. § 1, and attempted monopolization in violation of § 2 of the Sherman Act, 15 U.S.C. § 2.

According to SecurityMetrics, First Data had contracts with ISOs, i.e., third-party sales organizations that market, open, and manage merchant processing accounts for acquirers and payment processors, that imposed billing minimums on the ISOs. Fees paid to First Data for use of its PCI Rapid Comply program would count toward those billing minimums, while fees paid to other service vendors would not. From SecurityMetrics' perspective, this constituted an unlawful "tying" arrangement in violation of § 1 of the Sherman Act, which proscribes certain anticompetitive restraints on trade. Holding that SecurityMetrics had adequately stated such a claim, the court rejected First Data's argument that SecurityMetrics had failed to allege a necessary element of the tying claim, i.e., "an agreement conditioning purchase of the tying product upon purchase of the tied product (or at least upon an agreement not to purchase the tied product from another party)." First Data, No. RDB-12-2568, slip op. at 20. According to the court, the allegations describing the aforementioned billing structure—under which fees paid for the PCI Rapid Comply program would count toward billing minimums, but fees paid to other service vendors would not—sufficed to describe an unlawful "tying arrangement," at least at the pleadings stage. The court also declined to dismiss the § 1 Sherman Act claim on grounds that SecurityMetrics had purportedly failed to allege an actionable agreement to restrain trade or market-wide anticompetitive effect.

Likewise, the court permitted the § 2 Sherman Act claim to survive a pleadings-stage attack. Although finding SecurityMetrics' allegations insufficient to show the monopoly power needed to sustain an outright monopolization claim, the court held that SecurityMetrics had alleged enough to state an attempted monopolization claim, which requires only a showing that the defendant used anticompetitive conduct with the specific intent to monopolize and a dangerous probability of success. In reaching this conclusion, the court focused on SecurityMetrics' allegations of "exclusionary conduct" by First Data, including allegations of tying, predatory pricing, and false statements purportedly designed to mislead SecurityMetrics' customers.

At this stage of the case, the ultimate success or failure of SecurityMetrics' counterclaims is impossible to predict. Nevertheless, the Maryland court's decision will likely give processors and acquirers understandable unease as they attempt to implement their own PCI compliance solutions. At a minimum, the outcome of the case could have significant impacts on the marketing and fee structures associated with such "in-house" PCI compliance services.

Practical Steps to Mitigate Liability Risk
Until the uncertainty surrounding the issues raised in First Data is resolved, processors would be well advised to:

Carefully consider how they treat fees associated with in-house PCI compliance solutions. While no final ruling has been issued in the First Data litigation, processors and acquirers hoping to avoid antitrust claims should carefully consider how they treat fees associated with in-house PCI compliance programs. "Counting" those fees toward billing minimums, if fees associated with third-party PCI solutions are treated differently, could result in a challenge to a perceived "tying" arrangement.

Evaluate branding of, and disclosures surrounding, in-house PCI compliance solutions. As the First Data case makes clear, employing the term "PCI" to market PCI solutions can be risky unless the user or program has received certification from the PCI Council. To avoid the specter of an unfair competition or Lanham Act claim, processors or acquirers lacking that certification may want to avoid using the term "PCI" in marketing their in-house compliance service (as awkward a task as that might seem). In addition, they should consider conspicuously informing merchants of their lack of PCI certification in marketing materials associated with their programs.

Continue to monitor the case. Again, the Maryland District Court—at this time—has not issued a final ruling in the case. As in all motions to dismiss, the court was required to accept SecurityMetrics' allegations as true. As the case further develops, subsequent rulings by the court may clarify the unfair competition and antitrust risks that processors and acquirers face in implementing their own in-house PCI compliance programs.

Keywords: antitrust, ISOs, Lanham Act, monopoly, payment processors, PCI, PCI compliance, predatory pricing, Sherman Act, unfair competition

Copyright © 2014, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).