Visa Inc. v. Sally Beauty Holdings, Inc.
| Decision Date | 09 December 2021 |
| Docket Number | 02-20-00339-CV |
| Citation | 651 S.W.3d 278 |
| Parties | VISA INC., Appellant v. SALLY BEAUTY HOLDINGS, INC., Appellee |
| Court | Texas Court of Appeals |
651 S.W.3d 278
VISA INC., Appellant
v.
SALLY BEAUTY HOLDINGS, INC., Appellee
No. 02-20-00339-CV
Court of Appeals of Texas, Fort Worth.
Delivered: December 9, 2021
Allyson N. Ho, Andrew P. LeGrand Sr., Elizabeth A. Kiernan, Joseph E. Barakat, Emily A. Jorgens, Gibson, Dunn and Crutcher LLP, Dallas, for Appellant.
John H. Cayce, Jr., Caitlyn E. Hubbard, Kelly Hart & Hallman LLP, Fort Worth, Douglas H. Meal, Seth Harrington, Orrick, Herrington & Sutcliffe LLP, Boston, Massachusetts, Clyde M. Siebman, Siebman Forrest Burg & Smith LLP, Sherman, for Appellee.
Before Sudderth, C.J.; Wallach and Walker, JJ.
Opinion by Chief Justice Sudderth
Given how routine credit-card transactions have become, the average card-carrying American could easily overlook the complex system that makes such transactions possible. One key component of that complex system is its contractual structure, which indirectly links merchants like Appellee Sally Beauty Holdings, Inc. to the network of transactional services provided by companies like Appellant Visa,
Inc. The enforceability of certain terms within this contractual structure, as well as the security-related representations made by merchants participating in the Visa network, are at the center of this data-breach case.
After Sally Beauty's allegedly sub-par network security enabled a credit-card network hack—Sally Beauty's second in just over a year—Visa assessed approximately $14 million in liquidated damages against the company that linked Sally Beauty to the Visa network: Fifth Third Bank. Fifth Third passed the $14 million assessment on to Sally Beauty and assigned the merchant its claims against Visa. Sally Beauty sued, arguing that Visa had breached its contract with Fifth Third by collecting the $14 million assessment because the liquidated damages provision was an unenforceable penalty under California law. Visa countersued for fraud1 alleging that, in the fourteen months between Sally Beauty's two hacks, Sally Beauty fraudulently misrepresented its compliance with network security protocols as well as its intent to remain in compliance.
The parties filed competing motions for summary judgment, and the trial court granted Sally Beauty's motions on both Sally Beauty's contract claim and Visa's fraud counterclaim. The court found that (1) the liquidated damages provision underlying the $14 million assessment was unenforceable under California law, and (2) Visa not only lacked standing to assert fraud but also failed to state a cognizable fraud claim under Texas law.2
We disagree on both counts. First, because the liquidated damages provision is presumed valid under California law and because none of Sally Beauty's arguments invalidate it, we will reverse the trial court's breach of contract judgment and hold that the liquidated damages provision is enforceable. And second, because Visa has standing to raise a fraud claim, because Sally Beauty sought dismissal of the fraud claim on the pleadings, and because we take Visa's pleadings as true and construe them in its favor, we will reverse the trial court's fraud judgment and hold that Visa stated a cognizable claim for fraud under Texas law. With both summary judgments reversed, we will remand the case for further proceedings.
I. Background
Visa's credit-card network involves multiple layers of contracts.
A. Network and Contractual Framework
Generally, when a customer uses his Visa card at one of Sally Beauty's beauty-supply stores, (1) a point-of-sale system at Sally Beauty sends the card information to Sally Beauty's acquiring bank, Fifth Third; (2) Fifth Third transmits the information via Visa's network to the bank that issued the customer's credit card; (3) the card-issuing bank authorizes the transaction; and (4) the authorization message is sent back through the Visa network to Sally
Beauty to complete the transaction.3 Visa has contracts with the card-issuing banks and with the acquiring banks (such as Fifth Third), while the acquiring banks have contracts with the individual merchants (such as Sally Beauty). Otherwise, the system participants do not have contracts with one another. Consequently, Visa has established a set of rules to govern the system: the Visa Core Rules.
The Visa Core Rules are incorporated into Visa's contracts with issuers and acquirers, and the acquirers in turn incorporate the Visa Core Rules into their contracts with merchants. The Visa Core Rules establish, among other things, (1) security requirements for network participants, (2) an investigation procedure for data hacks, and (3) a system of liquidated damages known as the Global Compromised Account Recovery (GCAR) program.
1. Security Requirements
First, the Visa Core Rules protect network security by requiring acquirers to ensure that any merchant the acquirer connects to the Visa network complies with industry-wide security protocols known as the Payment Card Industry Data Security Standards (PCI DSS).4 Merchants whose Visa transactions exceed a certain threshold are required to undergo an annual security evaluation to ensure ongoing PCI DSS compliance. Sally Beauty was one such merchant.
This annual evaluation is generally conducted by a qualified security assessor (QSA),5 who validates the merchant's compliance with more than 200 PCI DSS requirements.6 The QSA then completes a three-page summary of these findings, grouping the numerous tested requirements into 12 broad categories, such as "[i]nstall[ing] and maintain[ing] a firewall configuration to protect cardholder data" and "[p]rotect[ing] stored cardholder data."7 The QSA marks the appropriate checkbox on the summary sheet to indicate the merchant's compliance or noncompliance with each of these 12 categories.8 Both the QSA and the merchant then sign the summary sheet, affirming, among other things, that,
• [a]ll information within the above-referenced [report] and in this attestation [i.e., summary sheet] fairly represents the results of the assessment in all material respects[;]
• [t]he merchant has confirmed with the payment application vendor that [its] payment application does not store sensitive authentication data after authorization[; and]
• [t]he merchant has read the PCI DSS and recognizes that [it] must maintain full PCI DSS compliance at all times.
The Visa Core Rules provide that this signed summary, known as an attestation of compliance (AOC), must be included with the QSA's report and submitted to the merchant's acquirer and, ultimately, to Visa.
2. Investigation Procedures
The PCI DSS protocols are merely one feature of the Visa Core Rules. The second relevant feature is the investigation procedures.
In the event of a network hack, the Visa Core Rules require the hacked merchant, upon request, to hire an independent PCI DSS forensic investigator to investigate the hack. The investigator follows an industry-wide PCI DSS procedure to determine, among other things, the number of customers whose financial information was exposed to the risk of unauthorized disclosure and to determine whether the hacked merchant was compliant with PCI DSS protocols at the time of the hack. If, based on this report, Visa determines that the hacked merchant was not in compliance with PCI DSS protocols,9 if such noncompliance could have facilitated the hack, if certain cardholder data is put at risk, if Visa has to send a certain number of breach-related issuer alerts, and if the estimated issuer expenses resulting from the hack exceed a specified threshold, then the third relevant feature of the Visa Core Rules kicks in: the GCAR program.
3. GCAR Program
The GCAR program effectively allows issuers to recover for expenses caused by merchant hacks, despite the lack of privity between issuers and merchants. Generally, if a hack qualifies for the GCAR program, Visa calculates and imposes a liquidated assessment against the acquirer that provided the hacked merchant with access to the Visa network.10 The acquirer, in turn, generally passes the assessment on to the hacked merchant.11 Then, after Visa collects the liquidated damages, Visa distributes the funds to the affected issuers.
Two elements comprise the GCAR's liquidated damages formula: (1) incremental counterfeit fraud liability, and (2) issuer operating-expense recovery. The incremental-counterfeit-fraud-liability portion is calculated based on the number of at-risk Visa customers and the amount of marginal fraud observed on their accounts. The issuer operating-expense recovery, in turn, is calculated by multiplying a specified operating-expense amount by the number of eligible at-risk customer accounts.12 As the sum of these two elements, the GCAR assessment is intended to estimate and reimburse a portion of the issuers’ hack-specific fraud-related expenses, such as increased account monitoring, card replacement, and customer reimbursements for fraudulent charges.13 At the same time, the
GCAR program limits Visa's contractual obligation to reimburse the issuers, and it limits the acquirer's corresponding liability to Visa for issuer reimbursements.14
B. Sally Beauty's Case
The current case involves a dispute over Visa's GCAR program. In 2015, Sally Beauty's payment system was hacked—for the second time in just over one year—putting Visa's customers’ data at risk. Visa required Sally Beauty to investigate the hack, and the PCI DSS investigator determined that Sally Beauty had not complied with certain PCI DSS protocols and that this noncompliance allowed third parties to hack Sally Beauty's system. Because Fifth Third was providing Sally Beauty with access to Visa's network, Visa relied on the investigator's report to impose a GCAR assessment of $14.29 million against Fifth Third.15 Fifth Third passed the GCAR assessment on to Sally Beauty, and Sally Beauty paid Fifth Third in exchange for an assignment of Fifth Third's claims against Visa.
Sally Beauty then sued Visa for breach of contract, along with five other...
To continue reading
Request your trial