I’m only discussing the Lanham Act claims, but there are many other claims in this case. First Data and SecurityMetrics generally sit at different points in the market for servicing merchants who take credit card payments, but apparently First Data is encroaching into SecurityMetric’s space. “PCI” originally stood for “Payment Card Industry,” but now also is used to refer to the PCI Security Standards Council and the PCI Data Security Standard administered by the council. Major credit card brands formed the council, which developed the security standard now adopted by all the credit card brands. They penalize noncompliance with the security standard.
While the PCI standard is universal, the various brands have different requirements for demonstrating or validating compliance with the standard. There are a number of different types of PCI compliance service vendors assessing various aspects of transactions; the credit card brands recognize certifications for several different functions, and the PCI Council certifies the vendors. SecurityMetrics is certified by the PCI Council for several specific functions, and First Data isn’t.
Instead, First Data is a payment processor: it processes transactions for merchants and independent sales organizations. SecurityMetrics provided compliance services to some merchants for whom First Data provides processing services. They worked together by contract for several years. First Data promoted SecurityMetrics to certain customers as a preferred vendor for compliance validation services, and SecurityMetrics used a protocol for reporting validation of compliance known as the START system. SecurityMetrics alleged that First Data breached the agreement, then prematurely terminated it.
SecurityMetrics alleged that, in mid-2012, First Data began offering a service called “PCI Rapid Comply,” in competition with SecurityMetrics. First Data imposes billing minimums on certain customers. SecurityMetrics alleged that, when calculating the minimums, First Data counted fees for PCI Rapid Comply towards them, but not fees paid to vendors of other PCI compliance services. First Data also allegedly told merchants who used other compliance vendors that they’d have to pay for those services in addition to the cost of PCI Rapid Comply. This was allegedly false because First Data refunds amounts paid to third-party vendors by merchants who use the services of those vendors to become compliant.
The court noted uncertainty whether failure to disclose can be actionable in the Fourth Circuit, which is odd since implied falsity is, as the court notes, actionable everywhere, and one way to imply a falsehood is to say some things and withhold relevant information. In any event, SecurityMetrics stated a Lanham Act false advertising claim because First Data’s advertising said that merchants “will pay” the additional cost—that could be understood as an affirmative misstatement.
SecurityMetrics’ false endorsement claim also survived. It alleged that First Data’s use of the phrase “PCI” in the name of its “PCI Rapid Comply” service was likely to cause merchants and others to incorrectly believe that the service is associated with or approved by the PCI Council. First Data argued that SecurityMetrics lacked standing to raise this claim, since it didn’t own any PCI marks. However, SecurityMetrics alleged that it had actually been harmed by this misstatement.
Dastar says that § 43 goes beyond trademark protection, and false endorsement covers use of words that are likely to cause confusion “as to the affiliation, connection, or association of such person with another person, or as to the origin, sponsorship, or approval of his or her goods, services, or commercial activities by another person.” Thus there are three distinct individuals involved: (1) the user of the term, (2) the misrepresented party, and (3) the plaintiff. First Data argued that (2) and (3) had to be the same, but the court disagreed. While some people, like consumers, lack standing to bring a false endorsement claim, and while the plaintiff must have some sort of commercial or competitive interest (what sort will soon be decided by the Supreme Court), the plaintiff need not have an interest in the mark itself. See Famous Horse. This is consistent with the statutory language covering “any person who believes that he or she is or is likely to be damaged by such act.” SecurityMetrics alleged damage to its commercial interests and its ability to stay competitive in the marketplace; that was enough.
The same alleged damage made SecurityMetrics more than a mere intermeddler and gave it standing to seek cancellation of First Data’s trademark registration for the term.