Those practicing in the payments space know that recorded judicial decisions are few and far between concerning disputes over credit card processing contracts. Terms and conditions in these contracts are often created with heavy reliance on general contract principles, even though the operative acts of the parties are highly unique and subject to extensive third-party rules. The January 15, 2015 decision in Schnuck Markets v. First Data Merchant Data Services Corp. and Citicorp Payment Services, U.S.D.C. E.D. Missouri, No. 4:13-CV-2226-JAR, is one of those rare cases, and is a decision highlighting the importance of careful contract drafting in the context of the merchant processing relationship.
Schnuck, a well-known grocery business in Missouri, was the victim of a cyber attack in late 2012 through early 2013. As a consequence, the merchants’ acquirer (transaction processing servicers) withheld the complete settlement of transactions under the parties’ processing agreement. The question put to the District Court was whether the processors were within their contractual rights, specifically whether the processors improperly sought to fund a reserve account in an amount exceeding the merchant’s general maximum liability exposure under a Limitation of Liability clause?
Within the merchant processing agreement, the Limitation of Liability clause capped the merchants’ risk exposure at $500,000, except for acquirer losses arising from the merchant’s failure to comply with PCI Data Security Standards, and from “… liability for chargeback, servicers’ fees, Third-Party fees, and fees, fines or penalties [sic] by the Associations…” In the case at hand, the question was how the Card Associations’ claim for reimbursement of card issuer losses was to be treated under the Limitation of Liability provision. For the those of us who do get into the weeds in these matters, the specific liability risk arose under Visa’s GCAR program and MasterCard’s ADCR program through which the Associations may issue assessments to reimburse Issuers of the compromised cards for losses relating to the cancellation and re-issuance of card and relating to fraudulent charges on those cards, if the data breach event involves date from the magstripe.
The Court carefully parsed the Card Associations rules and the parties’ contract. First, the court found that “third party fees” and “fees, fines or penalties”, as the terms are used in the Limitation of Liability, do not encompass liabilities owed to issuers via the Card Associations’ Rules. The concept of Data Compromise Losses, although a relatively new business risk, was known to the draftsman and could have been included in the laundry list of excepted events. Thus the Limitation of liability’s general cap of $500,000 was invoked, as this type of loss event was not specifically exempted. Second, the Court determined that such liability could not be properly categorized as a “fee” or a “third party fee,” as no intended or expected service was exchanged. Finally, the fiscal loss event could not be properly recognized as “fines” or “penalties,” as least as those terms are understood under Missouri state contract law, as a sum imposed as punishment. Nor could the Defendants convince the Court to shoehorn the Data Compromise Losses into either the contract’s other indemnity language or its PCI DSS non-compliance exception, for the primary reason that no allegation had been pleaded in the lawsuit that this merchant was either negligent or had operated out of DSS compliance.
The old adage is that contract boilerplate does not matter, until it does. And when it does, it can really matter; despite all the push-back that contract lawyers routinely encounter from the business’ principals and sales team. The Schnuck decision stands as reinforcement for the best practice goal that contract drafters should review even time-tested contract language to ensure that the text continues to accomplish the parties’ business goals and that it continues to allocate all the risks as the parties intend. There are ever-increasing risks of cyber attacks in all parts of the business world, the payments space included. Skilled legal draftsmen, with an actual working understanding of the “phone book” of the Card Association’s rules and regulations and also an appreciation of the client’s processing procedures, must account for these essential variables when delivering their work product.