First Data Merchant Services Corp. v. SecurityMetrics, Inc., 2014 WL 7409537, No. RDB–12–2568 (D. Md. Dec. 30, 2014)
Earlier ruling excluding false endorsement survey. Even earlier ruling allowing false endorsement theory to proceed.
This “contentious” case involved a soured business relationship and an earlier Utah settlement; this new filing alleged post-settlement misconduct by SecurityMetrics. After this decision, settlement-related claims and tortious interference claims remained, but the false advertising/trademark aspects were gone.
Background: issuers issue payment cards to consumers and collects from them. When a consumer uses a card to pay a merchant, an “acquirer” obtains authorization for the transaction from the consumer’s issuer and then clears and settles the transaction so that the merchant gets paid and the consumer’s account gets charged. Some payment cards have open networks that allow separate entities to operate as issuers and acquirers, in which case “processors” facilitate communication and settlement. First Data operates as an acquirer and payment processor. Sometimes First Data stands in the shoes of other acquirers and then deals with the acquirers’ merchants directly.
PCI is an acronym for “Payment Card Industry.” The PCI Security Standards Council was formed in 2006 by the major credit card brands and developed the PCI Data Security Standard, adopted by the major credit card brands as their data security compliance requirement for all merchants. While the PCI standard is universal, various payment card brands have different requirements for showing compliance. For the lower-volume merchants at issue here, they can use a self-assessment questionnaire, unless they sell over the internet, which requires vulnerability scans of their computer systems that must be approved by PCI Council-approved scanning vendors (ASV). SecurityMetrics is certified by the PCI Council as an ASV, but First Data is not.
First Data processed credit and debit card transactions for merchants and independent sales organizations (ISOs). SecurityMetrics provided compliance services to some merchants for whom First Data provides processing services. Where First Data provided acquirer services (~820,000 merchants), it instituted a PCI Standard compliance reporting program. The parties worked together for several years, with SecurityMetrics as First Data’s preferred vendor for validating compliance with PCI Standards. First Data then began offering PCI Rapid Comply, in competition with the services offered by SecurityMetrics. SecurityMetrics alleged various unfair practices in connection with First Data’s rollout of PCI Rapid Comply, including representations that First Data merchants who used other compliance verification vendors would have to pay for those services along with the cost of PCI Rapid Comply. Utah litigation resulted in a settlement; First Data then decided to wind down PCI Rapid Comply and partnered with Trustwave, a third-party PCI compliance vendor.
SecurityMetrics’ false advertising claims were based on First Data’s statements that if its clients used a third-party vendor for compliance services, they’d have to contract with and pay that vendor directly; that they’d still owe the Compliance Service Fee; and that if First Data’s PCI compliance services were contractually available to clients, they’d be charged for those services even if they used a third-party vendor. However, First Data allegedly actually provided refunds to merchants who used third-party vendors, covering the fee.
The court first determined that the statement at issue was not literally false. First Data charged a standard fee but in some cases provided a refund. Thus, the statements weren’t false, but omitted that a refund might be available. That was at best misleading, and there was no extrinsic evidence of actual consumer confusion. Thus, summary judgment for First Data was appropriate. The court commented that this same statement could go to a jury for a literal falsity determination in other circumstances: if First Data never charged the compliance fee, a jury would have to decide whether the statements were false. But no reasonable jury could conclude that the statement was false on its face given the actual facts.
False endorsement: SecurityMetrics argued that the name PCI Rapid Comply falsely suggested endorsement by the PCI Security Standards Council, and that First Data’s statement that “Claims that certain services offered by FDMS are not ‘approved’ by the PCI Security Council or that FDMS is selling PCI compliance products it is not authorized to sell are not true.” But without survey evidence about the name, there wasn’t enough evidence to proceed on that theory. The acronym alone didn’t unambiguously imply endorsement, so SecurityMetrics needed extrinsic evidence. (Note application of §43(a)(1)(B) standard to what’s generally a §43(a)(1)(A) theory, though this is arguably appropriate given that plaintiff isn’t claiming that the defendant is getting a false endorsement from the plaintiff, but rather from a third party.)
Likewise, SecurityMetrics argued that the “not true” statement was clearly false. First Data argued that the terms “approved” and “authorized” were ambiguous and there was no evidence that Rapid Comply was not “approved” or “authorized” by the PCI Council, especially given that the service operated for two years without any signs of disapproval from the PCI Council. The court found the statement “inherently ambiguous.” First, it referred to “certain services,” which lacked specificity, though presumably referred to Rapid Comply. (In context, that ambiguity seems to drop out.) Second, the statement could be interpreted in various ways. One meaning would be that the services are simply not authorized or approved because such authorizations and approvals are not made by the PCI Council. That wasn’t literally false and there was no extrinsic evidence of deception.
SecurityMetrics’ counterclaim for cancellation of First Data’s registered trademark in PCI Rapid Comply also failed for similar reasons, as did the Utah Truth in Advertising Claim.