United States District Court, E.D. Missouri, Eastern Division
For Schnuck Markets, Inc., Plaintiff: Craig A. Hoffman, LEAD ATTORNEY, PRO HAC VICE, BAKER AND HOSTETLER, Cincinnati, OH; Daniel R. Warren, LEAD ATTORNEY, BAKER AND HOSTETLER, LLP, Cleveland, OH; David P. Niemeier, Kevin F. Hormuth, LEAD ATTORNEYS, GREENSFELDER AND HEMKER, PC, St. Louis, MO.
For First Data Merchant Data Services Corp., Citicorp Payment Services, Inc., Defendants, Counter Claimants: Amy C. Purcell, Joshua Horn, LEAD ATTORNEYS, FOX ROTHCHILD, LLP, Philadelphia, PA; Lucy H. Unger, LEAD ATTORNEY, Patrick I. Chavez, WILLIAMS AND VENKER, St. Louis, MO; Nicholas T. Solosky, LEAD ATTORNEY, FOX ROTHSCHILD LLP, Washington, DC.
For Schnuck Markets, Inc., Counter Defendant: Daniel R. Warren, LEAD ATTORNEY, BAKER AND HOSTETLER, LLP, Cleveland, OH; David P. Niemeier, Kevin F. Hormuth, LEAD ATTORNEYS, GREENSFELDER AND HEMKER, PC, St. Louis, MO.
MEMORANDUM AND ORDER
JOHN A. ROSS, UNITED STATES DISTRICT JUDGE.
This matter is before the Court on cross-motions for judgment on the pleadings. (Doc. Nos. 37, 43) The motions are fully briefed and ready for disposition.
This action arises out of a cyber attack on grocery store chain Schnuck Markets, Inc. (" Schnucks" ) in late 2012 through early 2013 which compromised certain of its customers' debit and credit card information. Schnucks asserts causes of action for breach of contract and declaratory judgment against its transaction processing servicers, First Data Merchant Services Corporation (" First Data" ) and Citicorp Payment Services, Inc. (" Citicorp" ) (collectively " Defendants" ), claiming Defendants are withholding more transaction money than their merchant payment processing agreement permits in order to reimburse banks that issued payment cards affected by the attack.
In October 2011, Schnucks and First Data entered into a Master Services Agreement (" MSA" ) under which First Data agreed to provide credit and debit card processing services for Schnucks. (Doc. No. 37-1) At the same time, Schnucks, First Data, and Citicorp entered into a Bankcard Addendum to Master Services Agreement (" Bankcard Addendum" ), which set forth the terms and conditions by which Defendants agreed to provide credit and debit card processing services
for Schnucks. (Doc. No. 37-2) The Bankcard Addendum incorporates the terms of the MSA and First Data's Program Terms and Conditions (" Operating Procedures" ). (Doc. No. 37-3) Both the MSA and Bankcard Addendum incorporate the rules and regulations of the card brands Visa and MasterCard (" the Associations" ). (See Visa International Operating Regulations (" VIOR" ) (Doc. No. 44-2); MasterCard Security Rules and Procedures (" MasterCard Rules" ) (Doc. No. 44-3), collectively " Association Rules" ). The Association Rules subject Defendants to liability to the Associations in the event of data breach. If the Associations determine that a merchant was not compliant with payment card industry data security practices, they may assess a " non-compliance fine" and/or a " case management fee" against the acquiring bank, in this case, Citicorp. In addition, when the data breach involves data from the magnetic stripe of payment cards, the Association may issue assessments against the acquiring bank to reimburse banks that issued the compromised cards for two categories of losses: (1) the amount the issuing banks spent to monitor or cancel and re-issue at risk cards; and (2) the amount of fraudulent charges on the at risk cards. (See Visa Global Compromised Account Recovery (" GCAR" ) program (VIOR at 802); MasterCard Account Data Compromise Recovery (" ADCR" ) program (MasterCard Rules § § 10.2.5.3; 10.2.6))
The MSA, Bankcard Addendum, and Operating Procedures (collectively referred to as the " Agreement" ) constitute the entire agreement between the parties. (See, Complaint (" Compl." ), Doc. No. 9 at ¶ ¶ 16-17; Doc. No. 37-2 (Bankcard Addendum) at § 26.3 (" The Bankcard Addendum, along with the [MSA] . . . and the Operating Procedures, constitutes the entire agreement between the parties with respect to the subject matter" ).
The Agreement obligates Schnucks to indemnify Defendants for " all losses, liabilities, damages and expenses" under certain circumstances, but also limits Schnucks' liability to $500,000, with two exceptions. For noncompliance with an industry-imposed network security framework known as Payment Card Industry Data Security Standards (" PCI DSS" ), the limit is higher ($3,000,000), while for " chargebacks, servicers' fees, third party fees, and ...