Sovereign Bank v. Bj's Wholesale Club, Inc.

• Citation: 533 F.3d 162
• Decision Date: 16 July 2008
• Docket Number: No. 06-3405.,No. 06-3392.,06-3392.,06-3405.
• Parties: SOVEREIGN BANK, Appellant No: 06-3392 v. BJ'S WHOLESALE CLUB, INC.; Fifth Third Bancorp. Pennsylvania State Employees Credit Union, Appellant No: 06-3405 v. Fifth Third Bank; Bj's Wholesale Club, Inc. Bj's Wholesale Club, Inc., Defendant/Third-Party Plaintiff v. International Business Machines Corporation, Inc., Third-Party Defendant.
• Court: United States Courts of Appeals. United States Court of Appeals (3rd Circuit)

533 F.3d 162

SOVEREIGN BANK, Appellant No: 06-3392 v. BJ'S WHOLESALE CLUB, INC.; Fifth Third Bancorp.

Pennsylvania State Employees Credit Union, Appellant No: 06-3405 v. Fifth Third Bank; Bj's Wholesale Club, Inc.

Bj's Wholesale Club, Inc., Defendant/Third-Party Plaintiff v. International Business Machines Corporation, Inc., Third-Party Defendant.

No. 06-3392.

No. 06-3405.

United States Court of Appeals, Third Circuit.

Argued: June 19, 2007.

Opinion Filed: July 16, 2008.

Joseph Wolfson, Esq. (Argued), Stacey A. Scrivani, Esq., Stevens & Lee, King of Prussia, PA, for appellant, Sovereign Bank.

Donald B. Kaufman, Esq. (Argued), Devin Chwastyk, Esq., McNees Wallace & Nurick LLC, Harrisburg, PA, for appellant, Pennsylvania State Employees Credit Union.

James W. Prendergast, Esq. (Argued), Jennifer L. Carpenter, Esq., Wilmer Cutler Pickering Hale and Dorr LLP, Boston, MA, Gordon Pearson, Esq., Mario J. Weber, Esq., Wilmer Cutler Pickering Hall and Dorr LLP, Washington, D.C., Richard L. Kremnick, Esq., Christopher A. Lewis, Esq., Lewis W. Schlossberg, Esq., Blank Rome LLP, Philadelphia, PA, for appellee, BJ's Wholesale Club, Inc.

W. Breck Weigel, Esq. (Argued), Vorys, Sater, Seymour & Pease LLP, Cincinnati, OH, Andrew L. Swope, Esq., Abram D. Burnett III, Esq., Kirkpatrick & Lockhart Preston Gates Ellis LLP, Harrisburg, PA, for appellee, Fifth Third Bank.

Before: McKEE, FISHER and CHAGARES, Circuit Judges.

OPINION

McKEE, Circuit Judge.

In these consolidated appeals, Sovereign Bank and the Pennsylvania State Employees Credit Union appeal orders dismissing claims that arose from the theft of certain credit card information from a retailer's computer files. For the reasons that follow, we will reverse in part, and affirm those orders in part.

I. BACKGROUND

These consolidated appeals involve two law suits that arose from the theft of credit card information from the computer files of a prominent retailer. Visa U.S.A., Inc., is a corporation, comprised of an association of financial institutions, which operates a credit card payment system known as "Visa." Sovereign Bank and the Pennsylvania State Employees Credit Union ("PSECU") are both members of the Visa network. Sovereign and PSECU have a Membership Agreement with Visa that allows them to issue Visa cards to their respective customers and members. Within the Visa network, Sovereign and PSECU are referred to as "Issuers," which means that they issue Visa cards to cardholders pursuant to the contracts they enter into with them.

Fifth Third Bank is also a member of the Visa network, and it also has a Membership Agreement with Visa. Within the network, Fifth Third is referred to as an "Acquirer," which means that Fifth Third enters into contractual relationships with businesses that agree to accept Visa cards as payment for their goods and services ("Merchants"). Acquirers process those transactions on behalf of the Merchants. BJ's Wholesale Club, Inc., is a Merchant. Accordingly, Fifth Third and BJ's have entered into a Merchant Agreement. Although Merchants participate in the Visa network, they are not members. Only financial institutions are eligible for membership. Therefore, Merchants have no contractual relationship directly with Visa.

Every time a cardholder uses a Visa card to pay a Merchant for goods or services, the Issuer, Acquirer and Merchant must interact to process and complete the transaction. The Merchant's computer scanners first "read" the "Cardholder Information" contained in the magnetic stripe on the back of Visa cards as they are swiped through the familiar terminal at the checkout. The Merchant then sends the pertinent account information through the Visa network to the Issuer. The Issuer reviews the Cardholder Information and, assuming the card is valid with sufficient available credit, the Issuer authorizes the transaction, and so notifies the Merchant. Upon receiving that notification the Merchant completes the transaction with the cardholder, and then forwards the receipt to the Acquirer who pays the Merchant pursuant to their agreement. The Acquirer then notifies the Issuer that payment has been received, and the Issuer pays the Acquirer and charges the cardholder.

Visa has created an extensive set of "Operating Regulations" to both govern and facilitate transactions involving Visa cards.¹ Those Regulations address virtually every aspect of the Visa payment system, and impose both general and specific requirements on participants in the network.

The disputes in these appeals center on certain security regulations including the Cardholder Information Security Program ("CISP"). The CISP provisions apply to Issuers and Acquirers and include broad security requirements intended to protect Cardholder Information. Those requirements include a prohibition against retaining or storing the data encoded in the familiar magnetic stripe on the back of credit cards, i.e., Cardholder Information, after a consumer transaction is completed.

One provision of the Operating Regulations, entitled "Enforcement," defines procedures by which Visa can enforce compliance with the Operating Regulations. That provision expressly allows Visa to take specified remedial actions against Members who do not comply with the Operating Regulations, including levying fines and penalties. Enforcement actions can be appealed to Visa's Board of Directors, but the Board's decision is final. The Operating Regulations give Visa, and only Visa, the right to interpret and enforce the Operating Regulations, and only Visa can determine whether a violation of the Operating Regulations has occurred.

The Operating Regulations also impose extensive security requirements on Issuers and Acquirers. Section 2.3 of the Operating Regulations requires Issuers and Acquirers to ensure that their agents, service providers and Merchants comply with the Operating Regulations.

The Visa Operating Regulations also include comprehensive provisions for resolving disputes between Visa members. These provisions allow members to challenge disputed charges through "chargeback" and representment procedures,² in accordance with risk allocation judgments made by Visa. Disputes about the use of these procedures are resolved by arbitration.

Finally, the Operating Regulations also include "Compliance" provisions that apply when a Member's violation of a Regulation causes a financial loss to another Member who cannot be made whole by resorting to chargeback or representment. For example, a loss resulting from fraudulent charges using stolen data is allocated to the Issuer. However, the Issuer may use the Compliance proceedings to shift that loss to the Acquirer if it resulted from the Acquirer's violation of an Operating Regulation. The Compliance provisions do not eliminate any rights a Member may have to pursue any legal remedies that may otherwise be available.

Pursuant to their Membership Agreements with Visa, all Members of the Visa network including Insurers and Acquirers, agree to be bound by the Operating Regulations. In addition, before an Acquirer can enter into a Merchant Agreement with a Merchant, the Acquirer must first determine that the Merchant will abide by the Operating Regulations. Given the importance attached to uniform compliance, an Acquirer's initial determination is deemed insufficient. Rather, an Acquirer must agree to ensure continued compliance with the Operating Regulations. Finally, the Acquirer must have a Merchant Agreement with each of its Merchants. The Merchant Agreements may generally contain whatever extraneous provisions the Acquirer and Merchant agree upon, but, the Agreement must, at a minimum, contain the provisions of Section 5.2 of the Operating Regulations. These disputes involve § 5.2.h. 3.b. That subdivision prohibits a Merchant from retaining or storing Cardholder Information after an Issuer authorizes a transaction. Like all Visa Members, Fifth Third's predecessor agreed to be bound by the Visa Operating Regulations and By-Laws, which are incorporated by reference into the Membership Agreement.

The seeds that sprouted this litigation were sewn in February 2004, when Visa identified a potential compromise of electronically stored Cardholder Information pertaining to certain Visa cards issued by Sovereign, PSECU and other financial institutions. Electronic data on some credit cards had been copied and used to fraudulently obtain goods and services after cardholders had used the cards at various BJ's stores. Visa responded by issuing a "CAMS alert" to potentially affected Issuers. Such CAMS alerts notify Visa members that Cardholder Information may have been compromised. The CAMS alert here notified the Issuers that Visa cards which had been properly presented for payment at BJ's stores from July 2003 through February 2004 had been compromised and could be used to make fraudulent purchases.

Sovereign responded to the February 2004 alert by cancelling some Visa cards and issuing new Visa cards to the affected cardholders.³ Sovereign claims that the fraud was only possible because BJ's improperly retained and stored the Cardholder Information from its customers' cards instead of deleting the data immediately after a sales transaction was completed, as required by Visa Operating Regulation § 5.2.h.3.b. In Sovereign's view, BJ's failure to comply with the requirements of § 5.2.h.3.b. breached a duty owed to Sovereign. Sovereign further contends that Fifth Third failed to comply with the Operating Regulations by failing to ensure that BJ's complied with § 5.2.h.3.b.

According to Sovereign, BJ's failure to delete the Cardholder Information magnetically stored in Visa cards, and Fifth Third's failure to ensure that BJ's complied with § 5.3.h.3.b, allowed the unauthorized and fraudulent use of Cardholder Information. Sovereign maintains that it was legally obligated to reimburse its cardholders for the resulting fraudulent charges, and that it incurred...