Those practicing in the payments space know that recorded judicial decisions are few and far between concerning disputes over credit card processing contracts.ย Terms and conditions in these contracts are often created with heavy reliance on general contract principles, even though the operative acts of the parties are highly unique and subject to extensive third-party rules.ย The January 15, 2015 decision inย Schnuck Markets v. First Data Merchant Data Services Corp. and Citicorp Payment Services, U.S.D.C. E.D. Missouri, No. 4:13-CV-2226-JAR, is one of those rare cases, and is a decision highlighting the importance of careful contract drafting in the context of the merchant processing relationship.
Schnuck, a well-known grocery business in Missouri, was the victim of a cyber attack in late 2012 through early 2013.ย As a consequence, the merchantsโ acquirer (transaction processing servicers) withheld the complete settlement of transactions under the partiesโ processing agreement. The question put to the District Court was whether the processors were within their contractual rights, specifically whether the processors improperly sought to fund a reserve account in an amount exceeding the merchantโs general maximum liability exposure under a Limitation of Liability clause?
Within the merchant processing agreement, the Limitation of Liability clause capped the merchantsโ risk exposure at $500,000, except for acquirer losses arising from the merchantโs failure to comply with PCI Data Security Standards, and from โโฆ liability for chargeback, servicersโ fees, Third-Party fees, and fees, fines or penalties [sic] by the Associationsโฆโ In the case at hand, the question was how the Card Associationsโ claim for reimbursement of card issuer losses was to be treated under the Limitation of Liability provision. For the those of us who do get into the weeds in these matters, the specific liability risk arose under Visaโs GCAR program and MasterCardโs ADCR program through which the Associations may issue assessments to reimburse Issuers of the compromised cards for losses relating to the cancellation and re-issuance of card and relating to fraudulent charges on those cards, if the data breach event involves date from the magstripe.
The Court carefully parsed the Card Associations rules and the partiesโ contract. First, the court found that โthird party feesโ and โfees, fines or penaltiesโ, as the terms are used in the Limitation of Liability, do not encompass liabilities owed to issuers via the Card Associationsโ Rules. The concept of Data Compromise Losses, although a relatively new business risk, was known to the draftsman and could have been included in the laundry list of excepted events. Thus the Limitation of liabilityโs general cap of $500,000 was invoked, as this type of loss event was not specifically exempted. Second, the Court determined that such liability could not be properly categorized as a โfeeโ or a โthird party fee,โ as no intended or expected service was exchanged. Finally, the fiscal loss event could not be properly recognized as โfinesโ or โpenalties,โ as least as those terms are understood under Missouri state contract law, as a sum imposed as punishment.ย Nor could the Defendants convince the Court to shoehorn the Data Compromise Losses into either the contractโs other indemnity language or its PCI DSS non-compliance exception, for the primary reason that no allegation had been pleaded in the lawsuit that this merchant was either negligent or had operated out of DSS compliance.
The old adage is that contract boilerplate does not matter, until it does. And when it does, it can really matter; despite all the push-back that contract lawyers routinely encounter from the businessโ principals and sales team.ย ย The Schnuck decision stands as reinforcement for the best practice goal that contract drafters should review even time-tested contract language to ensure that the text continues to accomplish the partiesโ business goals and that it continues to allocate all the risks as the parties intend. There are ever-increasing risks of cyber attacks in all parts of the business world, the payments space included.ย Skilled legal draftsmen, with an actual working understanding of the โphone bookโ of the Card Associationโs rules and regulations and also an appreciation of the clientโs processing procedures, must account for these essential variables when delivering their work product.