Appeals Court Ruling Has Implications for Submerchant Contracts

The process of contract drafting and negotiation can be a test of patience. Initially, it seems that each word is scrutinized by all of the parties involved. The process can feel like overkill for documents that are often then tucked into a drawer, part of the endless paper byproduct of running a business. 

Unless the contract terms wind up in court. 

An appeals court ruling earlier this year sheds light on the importance of submerchant contracts and what they tell payment facilitators about their rights and obligations, according to Holli Targan, partner at the law firm Jaffe Raitt Heuer & Weiss. 

The court case, Spec’s v. First Data, concerns a data breach that impacted a Texas-based chain of liquor stores. After the breach, an investigation determined that the merchant’s security measures did not meet Payment Card Industry Data Security Standard (PCI DSS) requirements. 

Visa and Mastercard levied fines on the acquiring bank, which in turn passed them along to First Data. First Data then tried to pass them along to the merchant by withholding payments and placing the funds in a reserve account. 

The merchant sued First Data and pointed to the limitation of liability clause in its contract, claiming it was not responsible for what the contract referred to as “indirect or consequential damages.” 

First Data in turn argued that the assessments levied by the card networks were in fact damages that resulted directly from the merchant’s lack of compliance. But the U.S. District Court for the Western District of Tennessee disagreed, and the U.S. Court of Appeals for the Sixth Circuit affirmed the district court’s finding.

“The data breaches, resulting reimbursement to cardholders, and levying of assessments, though natural results of Spec’s Family’s PCI DSS non-compliance, did not necessarily follow from it. As Spec’s points out, a non-compliant merchant might never suffer a data security breach. Moreover, the card brands exercise discretion in issuing assessments, failing to levy them in every situation and never for PCI DSS non-compliance alone,” the court wrote in its opinion.

The outcome of this case has two important lessons for payments providers, including payment facilitators, Targan said. 

One, PFs should review their submerchant contracts with their attorneys and revise the language if necessary, in light of this ruling. 

“The court found that these card brand assessments for security breaches were consequential damages. Most commercial contracts say that neither party is liable for consequential damages. Because the court found that this kind of fee fell into that category, the merchant was not liable for it,” she said.

“So, because of that, it’s important that payment facilitators take a look at their merchant agreements. A merchant could now argue that it is not liable for card brand penalties because of this court case.”

The second, broader lesson is the overall importance of submerchant contracts and the specificity of the language they contain.

“You have to be crystal clear in the contract. To the extent that you can be as specific as possible, it would be to your benefit,” Targan said.

This outcome points out how critical contracts really are, she said. While they may remain tucked away as long as a relationship is going well, a PF will need to rely on them if something unexpected happens.

“Pay attention to the obligations and the rights you’re signing up for whenever you execute any contract,” Targan said. “They’re there to protect you, and you need to make sure that they’re right.”