Those $5,000 fines are pocket change compared with the major PCI fines that the banks were assessed (and passed along to Genesco, as usual). But if U.S. District Judge William Haynes Jr. buys Genesco's argument—and he seems to be agreeing with Genesco a lot so far—that could augur badly for Visa, both in this case and in future efforts to assess PCI fines that aren't directly related to provable damages caused by the breach.
Visa's troubles really began on July 18, when the judge ruled that Genesco's clever maneuver to be able to sue Visa had actually worked. In 2011, after Genesco discovered a year-long breach but before its banks were fined by Visa, the retailer cut a deal with Wells Fargo, agreeing to reimburse the bank for any Visa fines (which Genesco was already contractually obligated to do) in exchange for the right to exercise Wells Fargo's option to sue Visa over the fine.
That agreement was valid under California law, Judge Haynes ruled, and Genesco's claims that Visa had committed fraud by assessing damages based on card accounts that Genesco claims weren't actually exposed was also a valid (though not yet proven) basis for a complaint. Put simply, the judge refused to throw out any of Genesco's lawsuit, as Visa had asked.
The fact that Genesco gets to sue is crucial because while banks technically might have the right to sue card brands, they're really unlikely to. By signing that right away to Genesco, Wells Fargo can tell Visa that, gosh, it had no idea Genesco was going to do that. The bank's hands remain nominally clean.
That brings us to Genesco's effort to get the court to throw out the little fines. Genesco admits in its filing that its motion is unusually early in the process, especially since the banks have appealed the fines themselves (though Visa has been sitting on those appeals since 2011).
"Genesco believes, however, that the expenditure of the parties' (and the court's) resources on discovery issues regarding the non-compliance fines can and should be avoided by resolving Genesco's separate, purely legal contention that Visa breached its contracts with the acquiring banks because the non-compliance fines constitute an unenforceable penalty under California law," the Genesco motion said.
Or, translated from the strategic legalese: Your honor, tell us just this one more time that you agree with us, and put a little weight behind it by declaring that Visa was wrong in levying these smaller fines—purely in the interest of keeping things moving, of course.
Then, of course, once it's time to talk about the $13 million fine, Genesco will have good reason to believe the same kind of arguments will work.
Will the judge go along with it? That remains to be seen. But so far, Judge Haynes has shown remarkably little regard for the way PCI fines are supposed to work, at least from Visa's point of view. If he keeps this up, retailers may soon be able to expect proof that their breaches caused damage before they can be fined in proportion to that damage. And what kind of PCI enforcement would that be?