Posted by Randy Gainer

The United States District Court for the Middle District of Pennsylvania ruled on October 18, 2005, that the bank that processed credit and debit card transactions for BJ’s Wholesale Club, Inc. may be liable for the costs that a credit union incurred to replace compromised cards. The ruling came in a lawsuit filed by the Pennsylvania State Employees Credit Union against Fifth Third Bank and BJ’s after data thieves hacked into BJ’s computers and downloaded credit and debit card data that BJs obtained when it processed card used at its stores. The thieves used the stolen data to create fraudulent cards and used the cards to make purchases. The credit union replaced the cards after cardholders and Visa notified the credit union of the fraudulent charges. The credit union spent about $100,000 to replace more than 20,000 cards.

Judge William Caldwell denied the bank’s motion to dismiss the credit union’s claim that the credit union was a third party beneficiary of the bank’s agreement with Visa. The bank-Visa agreement required the bank to assure that merchants who used the bank to process card transactions complied with Visa’s operating regulations. One of those regulations required merchants not to retain card data after transactions were processed. Card processing software that IBM installed at BJ’s retained the card data in a file that the data thieves found and downloaded.

Judge Caldwell held that the credit union stated a valid claim when it alleged that it was a party that Visa intended to benefit from the bank’s promise to Visa to assure that merchants complied with the no-data-retention requirement. Judge Caldwell wrote at p. 41 of his opinion: “The purpose of the agreement was to make the Visa network safe for issuing banks, either those already in the network or those contemplating joining it, by assuring them that their customer information will only be in a merchant’s possession long enough to make a transaction.”

The credit union pleaded four claims each against the bank and BJ’s. Judge Caldwell dismissed the negligence claims against both defendants, relying on the economic loss rule. He dismissed the indemnification and unjust enrichment claims against both defendants as well. The court also dismissed the credit union’s claim that it was a third party beneficiary of BJ’s agreement with the bank because that contract, unlike the bank-Visa agreement, specifically excluded all potential third party beneficiaries.

BJ’s earlier brought IBM into the case as a third-party defendant, claiming that IBM breached its agreement not to install a feature of its card-processing software that retained card data after transactions were completed. Judge Caldwell had earlier refused to dismiss several of BJ’s claims against IBM. After he dismissed all of the credit union’s claims against BJ’s, however, he dismissed BJ’s remaining claims against IBM sua sponte because they sought only to hold IBM liable for any damages BJ’s had to pay to the credit union. It remains to be seen whether BJ’s will bring a separate action against IBM.

In a separate order issued the same day, Judge Caldwell refused to dismiss a negligence claim by another card issuer, Sovereign Bank, against BJ’s, though the court did dismiss Sovereign’s negligence claim against Fifth Third bank, again on the economic loss doctrine. The court’s opinion is unclear regarding why the economic loss doctrine did not bar the negligence claims against BJ’s. The court also refused to dismiss Sovereign Bank’s third party beneficiary claim against Fifth Third for the same reasons it permitted the credit union to proceed on the same theory.

These decisions should provide guidance to lawyers for other card issuers who face costs to replace Visa cards that are compromised when merchants fail to follow Visa regulations. We presume, however, that Visa will soon amend its form contract with merchant banks to exclude potential third party beneficiaries.