First Data, SecurityMetrics settle lawsuit over data access

Payment processor First Data Corp. and SecurityMetrics Inc., a provider of Payment Card Industry (PCI) Data Security Standards (DSS) compliance, resolved a lawsuit that alleged SecurityMetrics unlawfully restricted First Data's access to its customer security and reporting data. The processor accused SecurityMetrics of withholding the data in an attempt to force First Data to halt the introduction of its own PCI DSS-compliance solution. The suit was filed May 21, 2012, in the U.S. District Court in Utah.

SecurityMetrics was asked by The Green Sheet for comment on May 30, 2012, and replied by email the next day, stating, "SecurityMetrics and First Data have reached a mutual agreement to resolve the First Data Federal District Court filing on May 21, 2012."

When reached for comment May 30, 2012, Elizabeth Grice, First Data Director of Communications, said the company does not comment on pending litigation. Grice was not able to confirm or comment on the agreement by press time the next day.

Reaction to a new PCI solution

In its filing, First Data told the court nothing in its contract with SecurityMetrics prevents it from introducing its own PCI compliance solution. However, First Data claimed when it began implementing its own compliance solution, SecurityMetrics informed First Data it was in violation of their contract. SecurityMetrics then refused First Data full access to its project management and tracking portal, SecurityMetrics Merchant Compliance Console, and refused to give it access to its customers' regular and weekly reports, the processor stated.

In its complaint, First Data also accused SecurityMetrics of certain retaliatory actions that left First Data unable to meet monthly reporting obligations to customers; unable to provide accurate client support services and answer merchant questions; unable to "accurately determine merchants' PCI compliance status" and meet PCI reporting requirements; unable to figure month-end noncompliance status of merchants; and unable to accurately bill merchants.

First Data also complained in its court filing that SecurityMetrics had damaged its relationships with its customers through "inaccurate and incomplete PCI compliance reporting and support services" and alleged SecurityMetrics billed First Data customers directly without authorization to do so.

Request for relief and audit

First Data's complaint asked the court for a temporary restraining order and to require SecurityMetrics to provide all Console services it is allowed in its contract; provide accurate, updated merchant PCI compliance reports; provide disclosure of "all communications made to merchants in breach of the parties' contract;" provide an update of the status of all First Data customers, including merchants that are inactive; submit to an audit of its services and financial reports; and to stop contacting First Data customers. First Data also asked for compensatory and punitive damages and attorneys' fees.

Details of the settlement were not disclosed. SecurityMetrics was not able to respond to a request for more information by press time.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.