First Data Merchant Services Corp. v. SecurityMetrics, Inc.,
--- Fed.Appx. ----, 2016 WL 7010889, No. 15-2301, No. 15-2364 (4th
Cir. Dec. 1, 2016)
Lower
court opinion discussed here. The
court of appeals affirmed the district court’s rejection of the parties’ claims
against each other that were at issue on appeal (a major issue of settlement
interpretation was not appealed). First
Data and SecurityMetrics are in the Payment Card Industry (PCI). In the PCI, issuers
supply payment cards to consumers and collect amounts due; acquirers clear and
settle payment card transactions on behalf of merchants; and processors
facilitate the communication and settlement of payment. Some PCI providers
outsource certain functions to third-party vendors. First Data is an acquirer
and processor. SecurityMetrics is a third-party vendor.
The PCI Data Security Standard to help protect against
credit card theft and fraud is universal, but the payment card brands each have
different requirements for demonstrating or validating compliance with the
standard. Acquirers, such as First Data, can impose noncompliance penalties and
fees on merchants. Acquirers often rely on third-party vendors, such as
SecurityMetrics, to validate merchants’ compliance.
The parties used to work together, with First Data listing SecurityMetrics
as its preferred data compliance vendor in all communications with certain
merchants. First Data charged merchants a PCI compliance fee and then paid
SecurityMetrics for its compliance services on behalf of the merchants. When
First Data decided to offer its own compliance service, it ordered
SecurityMetrics to cease communication with its merchants; SecurityMetrics
alleged First Data had breached their contract and stopped sending its weekly
data feed.
On appeal, SecurityMetrics argued (among other things) that
First Data’s advertisements violated the Lanham Act. Some promotional materials
stated that First Data merchants would have to pay First Data’s compliance fee
regardless of whether the merchant also used a third-party compliance vendor,
whereas First Data actually provided refunds to merchants who used third-party
compliance vendors.
The challenged First Data ads said:
If you choose to use a third-party
vendor for PCI DSS compliance services, you will need to contract with and pay
that vendor directly. In addition to your alternate vendor’s charges for PCI
DSS compliance services, you still will need to pay the Compliance Service Fee
charged to you by your merchant services provider. The Compliance Service Fee
is not affected by your choice to use a third-party vendor.* * *
If First Data’s PCI compliance
services are contractually available to you, you will be charged an applicable
annual compliance fee for those services, regardless of whether you use them or
utilize the services of some other third-party PCI compliance services vendor.
If you utilize the additional services of a third party vendor, you will pay
that third party vendor’s charges for those fees in addition to First Data’s
annual compliance fee.
The court of appeals agreed that these statements were
ambiguous, not literally false. It was
undisputed that merchants had to pay a fee to First Data regardless of whether
or not they paid a third party for the same services. SecurityMetrics alleged that, in practice,
First Data would refund a merchant that complained about being double charged. But failing to state that a refund might be available was not literally false. By one reading, the service fee would change
because of First Data’s refund policy.
But another reading was that, “because First Data’s refund policy was
discretionary and not automatic, the advertisement is true on its face.” A
customer who didn’t ask for a refund wouldn’t get one. This wasn’t false by necessary implication,
and there was no evidence of deception.
As for tortious interference claims, the court upheld the
exclusion of recorded calls and emails from customers who cancelled contracts
with SecurityMetrics as hearsay. The
evidence of causation, “why the merchants decided not to renew or sign a
contract,” was relevant but inadmissible.
SecurityMetrics argued for admitting the calls and emails under the
state of mind exception, since they were offered only to prove “what customers
believed and why they did what they did.” “However, unless the statements are
also offered for the truth of the matter asserted—that the merchants canceled
their contracts with SecurityMetrics because of First Data’s misconduct—these
customer statements do not show causation.”
[I have to admit, I don’t grasp this distinction. Thoughts from people with more experience
with evidence? This seems like the kind
of evidence routinely admitted in trademark cases.]
No comments:
Post a Comment