IN THE UNITED STATES DISTRICT COURT
`
`FOR THE MIDDLE DISTRICT OF TENNESSEE
`
`NASHVILLE DIVISION
`
`Case No. 3: 13-0202
`Chief Judge Haynes
`
`) )
`
`)
`)
`
`) )
`
`)
`)
`
`) )
`
`)
`
`GENESCO, INC.,
`
`Plaintiff,
`
`V.
`
`VISA U.S.A., INC., VISA, INC., and
`VISA INTERNATIONAL SERVICE
`ASSOCIATION,
`
`Defendants.
`
`AMENDED MEMORANDUM
`
`Plaintiff, Genesco Inc., a Tennessee corporation, filed this action under 28 U.S.C. § 1332,
`
`the federal diversityjurisdiction statute, against the Defendants: Visa U.S.A. Inc., Visa Inc., and Visa
`
`International Service Association (collectively “Visa”), Delaware corporations with their principal
`
`places ofbusiness in California. Genesco asserts state law claims against the Visa Defendants arising
`
`out of Visa’s assessments of $l3,298,900.16 in non-compliance fines and reimbursement
`
`assessments after a cyber attack involving credit and debit card purchases at Genesco’s retail
`
`establishments. Visa imposed these assessments against Wells Fargo Bank, N.A. and Fifth Third
`
`Financial Corporation under Visa’s agreements with those Banks to process retail purchases with
`
`Visa credit and debit cards. Wells Fargo and Fifth Third had separate agreements with Genesco to
`
`process Visa credit and debit card transactions for purchases at Genesco’s retail establishments.
`
`Wells Fargo and Fifth Third also had indemnification agreements with Genseco under which
`
`Genesco agreed to indemnify Fifth Third and Wells Fargo for the Banks’ losses incurred in
`
`processing Visa credit and debit card transactions with Genesco’s retail establishments. Fifth Third
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 1 of 52 PageID #: 6843
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 1 of 52 Page|D #: 6843
`
`

`
`and Wells Fargo collected Visa’s fines and assessments from Genesco. For this action, Genesco is
`
`the assignee and subrogee of Fifth Third and Wells Fargo for any claims ofthose Banks against Visa
`
`for these fines and assessments.
`
`Genesco asserts multiple claims for Visa’s alleged breaches of contracts and implied
`
`covenants of good faith and fair dealing in imposing and collecting these fines and assessments.
`
`Genesco also asserts claims under the California Unfair Competition Act, Cal. Bus & Prof. Code
`
`§l720O e_t Lq. and common law claims of unjust enrichment and restitution. The specifics of
`
`Genesco’s claims are, in essence, that Visa’s fines and assessments against the Banks lack a factual
`
`basis and were imposed in violation of Visa’s Visa International Operating Regulations (“VIOR”)
`
`that are incorporated into Visa’s agreements with Wells Fargo and Fifth Third. Genesco seeks
`
`recovery of Visa’s fines and assessments against the Banks as Well as incidental damages incurred
`
`by these Banks and Genesco due to Visa’ s alleged wrongful conduct in imposing and collecting these
`
`fines and assessments. In earlier proceedings, the Court denied Visa’s motion to dismiss Genesco’s
`
`claims under the California Unfair Competition Act, Cal. Bus & Prof Code §l7200 e_t §e_q. and
`
`common law claims of unjust enrichment and restitution. (Docket Entry Nos. 49 and 50).
`
`Before the Court are the following discovery motions: Genesco’s motion for a protective
`
`order (Docket Entry No. 88), Visa’s motion to compel (Docket Entry No. 120) and Genesco’s
`
`motions for protective order concerning Visa’s subpoena to Genesco’s expert consultant and Visa’ s
`
`deposition notice for Genesco’s general counsel. (Docket Entry Nos. 201 and 235). The Court held
`
`a discovery hearing on these motions that raise common or overlapping issues about the scope of
`
`appropriate discovery in this action. Given the complexity of the issues raised in the motions, the
`
`Court circulated a draft Memorandum and granted leave for the parties’ counsel to review and
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 2 of 52 PageID #: 6844
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 2 of 52 Page|D #: 6844
`
`

`
`comment. The Court also granted the parties leave to file supplemental memoranda. The parties
`
`submitted multiple memoranda as well as multiple affidavits. See Docket Entry Nos. 221, 227, 229,
`
`241, 253, 275, 278 and 296.
`
`In sum, Genesco contends that this controversy involves whether Visa’s determinations that
`
`Genesco committed the four security violations have factual bases to justify Visa’s imposition of
`
`the fines and assessments. Genesco alleges that Visa lacked a factual basis for these fines and
`
`assessments and thereby breached Visa’s contracts with Wells Fargo and Fifth Third, as well as the
`
`legal obligations owed directly to Genesco. In addition, Genesco asserts that under Visa’s VIOR,
`
`Visa may look only to the facts relied upon by Visa in assessing fines or reimbursement costs. Thus,
`
`Genesco deems Visa’s discovery requests for all aspects of Genesco’s computer system to be
`
`irrelevant and barred by California law as well as the attorney client and work product privileges.
`
`Based upon the prior investigation of Genesco’s computerized payment network compliance at
`
`Visa’s behest, Genesco contends that Visa’s discovery requests are unduly burdensome and request
`
`irrelevant information. Genesco also challenges Visa’s discovery requests and subpoena to the Stroz
`
`firm, its nontestifying expert consultant, as barred by Fed. R. Civ. P. 26(b)(4)(D) absent a showing
`
`of requisite extraordinary circumstances that Visa has not made. Genesco also asserts the attorney
`
`client and work product privileges as barring the depositions of its general counsel and expert
`
`consultant.
`
`For its contentions, Visa asserts, in essence, that Genesco’s complaint repeatedly alleges
`
`Genesco’s compliance with all computer security requirements thatjustifies discovery of Genesco’s
`
`entire computer network for compliance with Visa’s VIOR, including Genesco’s remediation of its
`
`computer system after the cyber attack. Visa also contends that Genesco waived any privilege by
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 3 of 52 PageID #: 6845
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 3 of 52 Page|D #: 6845
`
`

`
`failing to file a privilege log and cites Genesco’s voluntary disclosures of its consultant’s findings.
`
`As to Genesco’s general counsel,Visa cites the affidavits submitted by Genesco’s counsel in this
`
`action and contends that Genesco’s general counsel is the sole source of information on Genesco’s
`
`theory of rebooting that is asserted to invalidate the factual predicates for Visa’s fines and
`
`assessments.
`
`A. Factual Background‘
`
`1. The Cyber Attack and Visa’s Assessments
`
`Between December 2009 and December 2010, a cyber attack occurred on Genesco’s
`
`computer network that targeted payment card data on Genesco’s computer network for its retail
`
`establishments throughout the world. (Docket Entry No. l, Complaint at 1] 1] 17-22 and Docket Entry
`
`No. 121, Exhibit B to Carrillo Affidavit at 3). Specifically, intruders installed software onto
`
`Genesco’s computer network to obtain cardholders’ unencrypted account data as that data was
`
`transmitted to Wells Fargo or Fifth Third for payment authorizations. Li.
`
`On June 1, 2010, Visa provided Wells Fargo its Common Point of Purchase (“CPP”) report
`
`on Genesco. This report revealed that Issuers ofVisa cards sent CPP reports about multiple accounts
`
`subj ected to fraudulent activity, with Genesco as the common point ofpurchase. (Docket Entry Nos.
`188-1 and 188-2, Edwards Affidavit, Exhibits B and C thereto). CPP reports continued for the next
`
`several months. (Docket Entry No. 188-3, Edwards Affidavit, Exhibit D thereto). On June 1, 2010,
`
`‘ This section is necessary to place the parties’ discovery disputes in an appropriate
`context. This section does not constitute findings of fact. “The first step in the resolution of any
`legal problem is ascertaining the factual background and sifting through the facts with an eye to
`the legally relevant.” Upjohn Co v. United States, 449 U. S. 383, 390-91 (1981) (attorney-client
`privilege controversy). The Court cannot understand the parties’ contention without a review of
`the factual record and deems it necessary to consider the text of relevant documents, as opposed
`to counsel’s characterizations of those documents.
`
`4
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 4 of 52 PageID #: 6846
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 4 of 52 Page|D #: 6846
`
`

`
`Visa requested Wells Fargo to submit a questionnaire to Genesco about these activities that Wells
`
`Fargo initiated. (Docket Entry No. 188-1, Edwards Affidavit, Exhibit B thereto). On October 25,
`
`2010, Visa recommended that Wells Fargo conduct a forensic investigation. (Docket Entry No. 1 8 8-
`
`3, Exhibit D to Edwards Affidavit).
`
`Citing Wells Fargo ’ s and Fifth Third’ s obligations under the VIOR to ensure their merchants ’
`
`compliance with Visa’s computer security requirements, Visa required Fifth Third and Wells Fargo
`
`to submit validation and documentation of Genesco’s compliance with their Payment Card Industry
`
`Data Security Standards (“PCI DSS”) by a Qualified Security Assessor. Visa also required a
`
`quarterly network vulnerability scan and a completed attestation of Genesco’s compliance. (Docket
`
`Entry Nos. 125 and 126, Carillo Affidavit, Exhibits F and G thereto). Fifth Third submitted this
`
`documentation on behalf of Genesco on June 29, 2011, and Wells Fargo did so on July 6, 2011.
`
`' (Docket Entry Nos. 127-128, Carrillo Affidavit, Exhibits H and I thereto).
`
`Earlier, on November 2, 2010, Genesco retained Trustwave International Security and
`
`Compliance (“Trustwave”) to conduct a forensic investigation of the cyber attack that the parties
`
`refer to as the “Intrusion.” (Docket Entry No. 91, Sisson Affidavit at 1] 4).2 Trustwave is among the
`
`firms listed as PCI Forensic Investigators (“PFIs”) that are approved by the PCI Security Standards
`
`Council
`
`to conduct forensic computer investigations. On November 30, 2010, Trustwave
`
`commenced its on-site investigation at Genesco’s computer facilities, namely, “to physically inspect
`
`and assess the following:
`
`' Four Payment Switches
`
`2Visa insists that it did not direct Genesco or its Acquiring Banks to select Trustwave.
`(Docket Entry No. 184 at 10 n.1)
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 5 of 52 PageID #: 6847
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 5 of 52 Page|D #: 6847
`
`

`
`- Four Windows Active Directory Domain Controllers
`
`° Physical Security
`
`- Network Topology”
`
`(Docket Entry No. 104 at 7).
`
`On January 27, 2011, Trustwave submitted its Incident Response Final Report that found
`
`Genesco noncompliant on three oftwelve PCI DSS requirements at the time of fraudulent activities
`
`and that each deficiency contributed to the Intrusion. (Docket Entry No. 104 at 37). Trustwave’s
`
`Report also noted some security deficiencies. 1; at 14. The specific “Secutity Deficiencies” found
`
`by Trustwave were listed as follows:
`
`4.3 Security Deficiencies
`Through the onsite assessment, Genesco personnel interviews, and analysis, Trustwave
`discovered the following system and network security deficiencies:
`
`1. Network Segmentation
`
`a) The PCI Zone was not fully segmented from the Genesco WAN; port 3 3 89
`(RDP) was configured to allow internal remote access from systems outside
`of the PCI Zone.
`
`b) Inbound and outbound access from the PCI Zone was not fully configured.
`
`2. Remote Access
`
`a) The remote access solution for third-party vendor accounts was persistently
`enabled; remote access for third-party accounts should be only accessible
`only on an as-needed basis and enforce two~factor authentication.
`
`3. File Integrity Monitoring
`
`a) File integrity monitoring software was not configured to monitor the
`Windows System32 directory.
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 6 of 52 PageID #: 6848
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 6 of 52 Page|D #: 6848
`
`

`
`I_d. at 14-15. Genesco describes the Trustwave report as finding four violations of 3 PCI DSS or
`
`VIOR requirements: Requirement 1, 8 (two violations) and 11. (Docket Entry No.181 at 5-6,
`
`Harrington Affidavit, Exhibit X thereto). The Trustwave Report recommended several remedial
`
`measures and confirmed that Genesco installed those remedial measures onto its computer system.
`
`(Docket Entry No. 104 at 32-33).
`
`Based on the Trustwave report with the PCI DSS violations, Visa determined that the
`
`Intrusion qualified under Visa’s Account Data Compromise Recovery (“ADCR”) and Data
`
`Compromise Recovery Solution (“DCRS”) programs. (Docket Entry Nos. 122-24, Exhibits C, D and
`
`1
`
`E to Carrillo Affidavit). Visa found as follows:
`
`Evidence of Compromise
`
`The forensic report provided by Trustwave found conclusive evidence that an account
`compromise event occurred. The report concluded the following:
`
`There were 3 PCI violations. (Forensic Report, p. 37)
`
`Evidence analyzed by Trustwave indicates that an address based in Belarus logged
`into the Genesco network with a vendors VPN account. This account then used RDP
`
`to remotely access the payment switches and installed network-packet capture
`malware to capture track data as it was sent through the system for authorization.
`(Forensic Report, p. 3)
`
`Through analysis Trustwave is able to confirm that the earliest the malware was
`running on the impacted credit switches was December 4, 2009. Furthermore,
`Trustwave is able to determine the user account that the attacker used (orasvc) and
`confirm that the attacker was connected externally via a VPN account. (Forensic
`Report, p. 16)
`
`VPN and domain controller logs indicate the attacker accessing the cardholder data
`environment. (Forensic Report, p. 27)
`
`Analysis revealed the presence of network sniffing malware active on all four
`payment switches (Forensic Report, p. 14)
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 7 of 52 PageID #: 6849
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 7 of 52 Page|D #: 6849
`
`

`
`0
`
`-
`
`-
`
`The malware installed by the attackers was a version of tcpdump.exe, network
`sniffing malware, which was installed and renamed to look like a legitimate system
`application service on December 4, 2009 and removed on December 1, 2010.
`(Forensic Report, p. 23)
`
`Attacker aggregates malware output into multipart rar archive. ,(Forensic Report, p.
`27)
`
`Trustwave was able to determine that the malware output contained restricted
`cardholder data. In this malware output, Trustwave was able to determine that several
`pieces of cardholder information were exposed, for both cards which were swiped
`and those that were manually typed at retail locations. (Forensic Report, p. 20)
`
`The PCI DSS Violations indicated as “Not In Place” on page 7 could have allowed a
`compromise to occur.
`
`(Docket Entry No. 99 at 7).
`
`Visa assessed Wells Fargo and Fifth Third Bank in excess of $13 million in addition to
`
`$10,000 in fines for failing to ensure Genesco’s PCI DSS compliance. (Docket Entry Nos. 122-126,
`
`Exhibits, C, D, E, F and G thereto Carrillo Affidavit). The assessments were represented as
`
`reimbursements to Visa’s issuing Banks for their counterfeit fraud and associated operating
`
`expenses and losses. I_d_. As discussed 11$, under Visa’s VIOR, any assessments of fines and
`
`reimbursements must be based upon facts known to Visa. (Docket Entry Nos. 122-124, Carrillo
`
`Affidavit, Exhibits C, D, and E thereto).
`
`Under Visa’s VIOR, Fifth Third and Wells Fargo could appeal these fines and assessments
`
`and the Banks requested extensions to appeal to allow the Banks and Genesco to request information
`
`to determine whether to appeal under the VIOR process or to initiate litigation after Visa collected
`
`the fines and assessments. (Docket Entry Nos. 151-1 at 10-11, 159 at 1, 161 at 1, 181 at 11 and 182
`
`at 8). Sometime in March 2011, Genesco provided Wells Fargo and Fifth Third Bank with an
`
`annotated response to the Trustwave report challenging TrustwaVe’s findings of Genesco’s
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 8 of 52 PageID #: 6850
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 8 of 52 Page|D #: 6850
`
`

`
`noncompliance with the three cited PCI DSS requirements under Visa’s VIOR. Genesco argued that
`
`there were not any security deficiencies in Genesco’s computer system. (Docket Entry No 129,
`
`Carrillo Affidavit, Exhibit
`
`J thereto at 4 citing (Comment [A34]), 5 (Comment [A55]), and 7
`
`(Comments [A80]-[A83]).
`
`In a July 11, 2011 document entitled “Visa review of Genesco's PCI DSS violations
`
`Trustwave report dated January 27, 2011", Ingrid Beierly, a Visa employee wrote:
`
`Trustwave identified the following PCI DSS violations:
`
`Requirement 1 - Install and maintain a firewall configuration to protect cardholder
`data
`
`Trustwave findings indicate this requirement contributed to the breach. Their justification
`is below:
`
`Services allowing remote access (RDP) into the cardholder data environment from
`untrusted networks facilitated the attacker in compromising cardholder data.
`
`that Genesco is in violation of
`Visa does not agree with TW's assessment
`Req 1. RDP was running on the internal network. TW should have reviewed
`to determine if a firewall exists between the corporate WAN and the payment
`card data environment
`(although this does not appear to be a PCI
`requirement, either). Per PCI DSS v2.0, Network segmentation of, or
`isolating (segmenting), the cardholder data environment from the remainder
`of an entity's network is not a PCI DSS requirement. However, it is strongly
`recommended. PCI DSS does require that, if there is no segmentation. the
`entire network is in scope ofthe PCI DSS assessment. Question for Genesco,
`did their previous PCI assessment included the entire network?
`
`Visa does agree that RDP contributed to the breach. Questions for TW:
`1) Per PCI DSS requirement 2.3, all non-console administrative access
`
`must be encrypted. Did Genesco used VPN/SSH/SSL/TLS to encrypt
`RDP sessions? If not, Genesco was in violation of 2.3. This should have
`
`been documented on the forensic report and reflected on the PCI DSS
`Requirements Overview.
`
`Requirement 8 - Assign a unique ID to each person with computer access
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 9 of 52 PageID #: 6851
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 9 of 52 Page|D #: 6851
`
`

`
`Trustwave findings indicate this requirement contributed to the breach. Their
`justification is below:
`
`The third-party support account was enabled at all times. VPN access into the
`cardholder data environment wasn't enforcing two-factor authentication.
`
`Visa's review of forensic findings:
`
`-
`
`0
`
`0
`
`Visa agrees with TW's assessment that Genesco is in violation of Req 8. Per
`forensic report, pages 15 and 32, remote access solution for third-party
`vendor accounts was persistently enabled, remote access for third-party
`accounts should be only accessible only on as as-needed basis and enforce
`two-factor authentication. Since Genesco did not have full segmentation (see
`network diagram on page 9), their corporate WAN would be in scope with
`PCI DSS and PFI forensic investigation. Thus, the following requirement
`would apply:
`
`8.5.6 Enable accounts used by vendors for remote access only during
`the time period needed. Monitor vendor remote access accounts when
`in use.
`
`In addition, Genesco was also in Violation of 8.5.8 - Do not use group,
`shared, or generic accounts and passwords, or other authentication methods.
`
`If Genesco disagrees, they must provide proof that their corporate WAN was completely
`segmented from the payment processing environment at the time ofthe security breach. This
`must be confirmed by TW since they performed the forensic investigation.
`
`Requirement 11 - Regularly test security systems and processes.
`
`Trustwave findings indicate this requirement contributed to the breach. Their
`justification is below:
`
`The file integrity monitoring solution wasn't configured to monitor all critical system
`directories.
`
`Visa's review of forensic findings:
`
`°
`
`Visa agrees with TW's assessment that Genesco was in violation of Req l 1.
`Per forensic report page 3 3, File integrity monitoring (FIM) software was not
`configured to monitor the Windows System32 directory. PCI DSS req 11
`requires the following:
`
`10
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 10 of 52 PageID #: 6852
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 10 of 52 Page|D #: 6852
`
`

`
`o
`
`0
`
`Deploy file-integrity monitoring tools to alert personnel to unauthorized
`modification of critical system files, configuration files, or content files; and
`configure the software to perform critical file comparisons at least Weekly.
`
`System32 is a directory which contains critical system files (i.e., executables,
`DLLs, etc.). This is a standard directory where critical system files are
`installed. FIM should have been monitoring the system32 directory within the
`payment card switch servers. Furthermore, it is a PCI requirement to alert
`personnel in the event of modification to critical system files.
`
`(Docket Entry No. 106 at 1-2) (emphasis added in part). On November 7, 201 1, Visa voted to qualify
`
`the Intrusion for its ADCR and DCRS programs based only on the “Qualification Summaries” that
`
`Visa staff had prepared. (Docket Entry No. 164 and 224 at 2).
`
`Between November 7, 201 1 and January, 2013, Fifth Third and Wells Fargo had discussions
`
`with Visa on Visa’s qualification process. Visa extended the appeal deadline during these
`
`discussions. (Docket Entry Nos.159, 161, 162, 168, 173 and 175). On November 22, 2011, Fifth
`
`Third and Wells Fargo requested information and on January 9, 2012, Visa responded to some, but
`
`not all of the November 22"“ requests. (Docket Entry Nos. 159, 161, 167, 168). The Banks and Visa
`
`negotiated production of the unanswered requests. (Docket Entry No. 151, Harrington Affidavit at
`
`1] 71). During this time period, the Banks’ appeal was stayed, and Genesco provided additional
`
`information and documentation to Visa and sought reciprocity from Visa. (Docket Entry Nos. 169-
`
`170). During this time period, Visa did not request any information about Genesco’s PCI DSS
`
`compliance or non-compliance3, but sought information about Genesco’s assertions that reboots of
`
`Genesco’s servers caused the overriding of the Intruder-created log files. (Docket Entry No. 169).
`
`Ultimately, Visa did not request any additional information about Genesco’s PCI DSS compliance
`
`3According to Genesco, Visa considered the information and documentation requested by
`Genesco in the period after issuing the Qualification Summaries “not germane” (Docket Entry
`Nos.167-169)
`
`11
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 11 of 52 PageID #: 6853
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 11 of 52 Page|D #: 6853
`
`

`
`or non—compliance. (Docket Entry No. 151, Harrington Affidavit at 1] 71)."
`
`At some undefined point “late 2012", Visa purportedly declined any more extensions of the
`
`Banks’ appeal. (Docket Entry No. 227 at 4). On September 28, 2012, Visa stated that “based on the
`
`information in the January 27, 2011 Trustwave Forensic Report, the identification of affected
`
`accounts provided by Genesco’s acquirers, and the overall counterfeit fraud experienced by the
`
`accounts included in the qualification .
`
`.
`
`. Visa continues to believe that the Genesco account data
`
`compromise event was properly qualified” under the ADCR and DCRS programs. (Docket Entry No.
`
`151, Harrington Affidavit at 1] 74). On October 26, 2012, Genesco and the Acquiring Banks decided
`
`not to pursue the appeal, given Visa’s refusal to provide the information sought by their November
`
`22 requests and because they considered the VIOR appeal process to be presumptively biased in
`
`Visa’s favor. (Docket Entry No. 67, Rofl(ar Affidavit, at 1111 16-17 and Docket Entry No. 54 at 7 n.1).
`
`2. Visa’s Relevant VIOR
`
`Visa’s VIOR sets forth the governing principles for Visa’s assessments of fines and
`
`reimbursements against Acquiring and Issuing Banks that provide, in pertinent part:
`
`Cardholder and Transaction Information Security- U.S. Region
`
`A U.S. Member must comply, and ensure that its Merchants and Agents comply,
`with the requirements of the Cardholder Information Security Program, available
`from Visa upon request or online at http://www.visa.com/cisp.
`
`A third party that supports a loyalty program or provides fraud control services, as specified
`in "Disclosure of Visa Transaction Information- U.S. Region" and "Cardholder and
`Transaction Information Disclosure Limitations - U.S. Region," must comply with the
`requirements of the Cardholder Information Security Program.
`
`4 In this connection, Visa quoted a statement that, in essence, Visa considers various
`sources of information, (Docket Entry No. 210 at 5), but the cited Docket Entry does not contain
`the Exhibit Z quoted by Visa. The Court also is concerned that the Beierly memorandum, a
`significant three page document, is lacking the third page.
`
`12
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 12 of 52 PageID #: 6854
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 12 of 52 Page|D #: 6854
`
`

`
`A U.S. Member must comply, and ensure that its Merchants and Agents comply, with
`the Transaction Information security requirements in the Visa International Operating
`Regulations, the Payment Card Industry Data Security Standard (PCI DSS), and the
`validation and reporting requirements outlined in the Cardholder Information Security
`Program. The Payment Card Industry Data Security Standard (PCI DSS) and the
`Cardholder Information Security Program requirements are available online at
`http://www.visa.com/cisp.
`
`An Acquirer must ensure that its Merchant:
`
`-
`
`-
`
`-
`
`0
`
`Implements and maintains all ofthe security requirements, as specified in the
`Cardholder Information Security Program
`
`Immediately notifies Visa, through its Acquirer, of the use of a Third Party
`
`Ensures that the Third Party implements and maintains all of the security
`requirements, as specified in the Cardholder Information Security Program
`
`through its Acquirer, of any suspected or
`Immediately notifies Visa,
`confirmed loss or
`theft of material or records that contain account
`
`information and:
`
`- Demonstrates its ability to prevent future loss or theft of account or Transaction
`information, consistent with the requirements ofthe Cardholder Information Security
`Program
`
`- Allows Visa, or an independent third party acceptable to Visa, to verify this
`ability by conducting a security review, at the Acquirer's own expense
`
`ID#: 010410-010410-0008031
`
`Fines and Penalties
`
`Non-Compliance with Account and Transaction Information Security Standards
`VIOR 2.1.E
`
`If Visa determines that a Member, its agent, or a Merchant has been deficient or
`negligent in securely maintaining the account or Transaction Information or reporting
`or investigating the loss of this information, Visa may fine the Member, as specified in
`the Visa International Operatingkegulations, or require the Member to take immediate
`corrective action.
`
`13
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 13 of 52 PageID #: 6855
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 13 of 52 Page|D #: 6855
`
`

`
`ID#: 010410-Ol0410—00Ol753
`
`Issuer Identification on Card
`
`Visa identifies the Issuer that ordered the manufacture of a Visa Card or Visa Electron Card
`
`by either the name printed on the Visa Card or Visa Electron Card or the manufacturer
`product information printed on the back of the Visa Card or Visa Electron Card.
`
`There is no time limit on a Member's right to reassign liability to the Issuer under this section.
`
`ID#: 010410-O104l0—0O08158
`
`Counterfeit Card Transaction Reporting
`
`If a Member discovers Counterfeit Card activity, the Member must immediately report the
`Account Number to Visa.
`
`ID#: 010410-010410-0001816
`
`Account Data Compromise Recovery (ADCR)
`
`Account Data Compromise Recovery Process - U.S. Region
`
`In the U.S. Region, the Account Data Compromise Recovery (ADCR) process allows
`Visa to determine the monetary scope of an account compromise event, collect from the
`responsible Member, and reimburse Members that have incurred losses as a result of
`the event.
`
`ADCR allows the recovery of counterfeit transaction losses across all Visa-owned brands
`(i.e.,Visa, Interlink, and Plus) when a Violation attributed to another Visa Member could have
`allowed data to be compromised and the subsequent financial loss was associated with any
`of the following:
`
`- A Visa Transaction
`
`- An Interlink transaction
`
`- A Plus transaction
`
`This process is only available when there has been a violation of at least one ofthe following:
`
`14
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 14 of 52 PageID #: 6856
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 14 of 52 Page|D #: 6856
`
`

`
`-
`
`-
`
`-
`
`Operating Regulations involving electronic storage ofthe full contents of any
`track on the Magnetic Stripe subsequent to Authorization of a Transaction
`
`Operating Regulations involving non-compliance with the Payment Card
`Industry Data Security Standard (PCI DS S) that could allow a compromise
`of the full contents of any track on the Magnetic Stripe
`
`Operating Regulations involving the PIN Management Requirements
`Documents that could allow a compromise of PIN data for a Visa
`Transaction, a Plus transaction, or an Interlink transaction subsequent to
`Authorization
`
`The Account Data Compromise Recovery process includes:
`
`0 Counterfeit Fraud Recovery
`
`0 Operating Expense Recovery
`
`ID#: 081010-010410-0000877
`
`Transactions Excluded from ADCR Process - U.S. Region
`
`In the U. S. Region, violations ofthe Visa International Operating Regulations not involving
`storage of Magnetic—Stripe Data are excluded from this process.
`
`In the U.S. Region, violations not involving non-compliance with the Payment Card Industry
`Data Security Standard (PCI DSS) that could allow a compromise ofthe full contents of any
`track on the Magnetic Stripe are excluded from this process.
`
`Violations not involving a Transaction are resolved as specified in "Visa Right to Fine" and
`as deemed appropriate by Visa.
`
`ID#: 081010-010410-0000878
`
`Determination of ADCR Eligibility -U.S. Region
`
`Effective for Qualifying CAMS Events that occurred on or before 30 March 2009,
`following the fraud analysis and investigation of the compromise event, a U.S. Member:
`
`-
`
`0
`
`Is provided with findings in support ofthe preliminary determination that the
`event is eligible for the ADCR process
`
`Is provided with any estimated counterfeit fraud and operating expense
`
`1 5
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 15 of 52 PageID #: 6857
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 15 of 52 Page|D #: 6857
`
`

`
`liability amounts
`
`'
`
`May submit a written appeal, within 30 calendar days of the preliminary
`findings notification date, with supporting documentation to Visa. Such
`appeal will be considered by the ADCR Review Committee or, if the total
`Acquirer liabilities are US $500,000 or more, the appeal will be considered
`by the Corporate Risk Committee. A determination of such appeal will be
`provided to the Acquirer.
`
`Effective for Qualifying CAMS Events that occur on or after 31 March 2009, following
`the fraud analysis and investigation of the compromise event, the U.S. Member is provided
`with:
`
`0
`
`°
`
`Findings in support ofthe preliminary determination that the event is eligible
`for the ADCR process
`
`Any estimated counterfeit fraud and operating expense liability amounts
`
`ID#: 010410-010410-0009035
`
`Counterfeit Fraud Recovery Process -U.S. Region
`
`A U.S. Member is compensated for a portion of its counterfeit fraud losses incurred as the
`result ofa Magnetic-Stripe Data account compromise event. The Counterfeit Fraud Recovery
`process is initiated by Visa when:
`
`-
`
`-
`
`-
`
`-
`
`An account compromise event occurs
`
`A Compromised Account Management System (CAMS) Alert, or multiple
`CAMS Alerts for the same account compromise event, is sent to affected
`Members
`
`Effective for Qualifying CAMS Events that occur on or before 30 June 2010,
`the account compromise event involves at least 10,000 Account Numbers
`
`Effective for Qualifying CAMS Events that occur on or after 1 July
`2010, the account compromise event involves at least 10,000 Account
`Numbers and a combined total of US $100,000 or more recovery for all
`Issuers involved in the event
`
`°
`
`At least one of the following:
`
`— The full contents of any track on the Magnetic Stripe was stored subsequent to
`Authorization of a Transaction
`
`16
`
`Case 3:13-cv-00202 Document 338 Filed 03/10/14 Page 16 of 52 PageID #: 6858
`Case 3:13—cv—OO202 Document 338 Filed 03/10/14 Page 16 of 52 Page|D #: 6858
`
`

`
`- A violation of the Payment Card Industry Data Security Standard (PCI DS S) could
`have allowed a compro