First Data Merchant Services Corp. v. SecurityMetrics, Inc., --- Fed.Appx. ----, 2016 WL 7010889, No. 15-2301, No. 15-2364 (4th Cir. Dec. 1, 2016)
Lower court opinion discussed here. The court of appeals affirmed the district court’s rejection of the parties’ claims against each other that were at issue on appeal (a major issue of settlement interpretation was not appealed). First Data and SecurityMetrics are in the Payment Card Industry (PCI). In the PCI, issuers supply payment cards to consumers and collect amounts due; acquirers clear and settle payment card transactions on behalf of merchants; and processors facilitate the communication and settlement of payment. Some PCI providers outsource certain functions to third-party vendors. First Data is an acquirer and processor. SecurityMetrics is a third-party vendor.
The PCI Data Security Standard to help protect against credit card theft and fraud is universal, but the payment card brands each have different requirements for demonstrating or validating compliance with the standard. Acquirers, such as First Data, can impose noncompliance penalties and fees on merchants. Acquirers often rely on third-party vendors, such as SecurityMetrics, to validate merchants’ compliance.
The parties used to work together, with First Data listing SecurityMetrics as its preferred data compliance vendor in all communications with certain merchants. First Data charged merchants a PCI compliance fee and then paid SecurityMetrics for its compliance services on behalf of the merchants. When First Data decided to offer its own compliance service, it ordered SecurityMetrics to cease communication with its merchants; SecurityMetrics alleged First Data had breached their contract and stopped sending its weekly data feed.
On appeal, SecurityMetrics argued (among other things) that First Data’s advertisements violated the Lanham Act. Some promotional materials stated that First Data merchants would have to pay First Data’s compliance fee regardless of whether the merchant also used a third-party compliance vendor, whereas First Data actually provided refunds to merchants who used third-party compliance vendors.
The challenged First Data ads said:
If you choose to use a third-party vendor for PCI DSS compliance services, you will need to contract with and pay that vendor directly. In addition to your alternate vendor’s charges for PCI DSS compliance services, you still will need to pay the Compliance Service Fee charged to you by your merchant services provider. The Compliance Service Fee is not affected by your choice to use a third-party vendor.* * *
If First Data’s PCI compliance services are contractually available to you, you will be charged an applicable annual compliance fee for those services, regardless of whether you use them or utilize the services of some other third-party PCI compliance services vendor. If you utilize the additional services of a third party vendor, you will pay that third party vendor’s charges for those fees in addition to First Data’s annual compliance fee.
The court of appeals agreed that these statements were ambiguous, not literally false. It was undisputed that merchants had to pay a fee to First Data regardless of whether or not they paid a third party for the same services. SecurityMetrics alleged that, in practice, First Data would refund a merchant that complained about being double charged. But failing to state that a refund might be available was not literally false. By one reading, the service fee would change because of First Data’s refund policy. But another reading was that, “because First Data’s refund policy was discretionary and not automatic, the advertisement is true on its face.” A customer who didn’t ask for a refund wouldn’t get one. This wasn’t false by necessary implication, and there was no evidence of deception.
As for tortious interference claims, the court upheld the exclusion of recorded calls and emails from customers who cancelled contracts with SecurityMetrics as hearsay. The evidence of causation, “why the merchants decided not to renew or sign a contract,” was relevant but inadmissible. SecurityMetrics argued for admitting the calls and emails under the state of mind exception, since they were offered only to prove “what customers believed and why they did what they did.” “However, unless the statements are also offered for the truth of the matter asserted—that the merchants canceled their contracts with SecurityMetrics because of First Data’s misconduct—these customer statements do not show causation.” [I have to admit, I don’t grasp this distinction. Thoughts from people with more experience with evidence? This seems like the kind of evidence routinely admitted in trademark cases.]