1 of 2
Stephen and Cissy McComb, who opened the Park City restaurant Cisero's in 1985, are in a legal fight with the bank that processed their credit charges.
This case has the potential to send the message that merchants can stick up for themselves in these relationships and demonstrate that they're correct and the bank has it wrong. —Douglas Kantor, lawyer

PARK CITY — Stephen and Cissy McComb say they managed their Italian eatery in Park City for more than two decades without running afoul of security rules of Visa Inc. and MasterCard Inc. — until they were accused of mishandling data and opening the door to $1.26 million in fraud.

The McCombs, who opened Cisero's in 1985, are now in a legal fight with the bank that processed their credit charges and, indirectly, with what they say are card networks that change rules without notice, impose unfair one-sided contracts and allow the taking of money from merchants' accounts with no proof of fault.

The couple sued, saying they didn't break MasterCard and Visa rules, that there was no security lapse and that no acts of fraud were specifically claimed. The fraud was conjured from unexplained and unsupported data, they said in court papers filed in state court in Summit County. Their suit may be the first court challenge to penalties under the card networks' security procedures, said one of their lawyers, W. Stephen Cannon.

It's rare for banks and their processors to file a lawsuit against a merchant, lawyers said.

"This case has the potential to send the message that merchants can stick up for themselves in these relationships and demonstrate that they're correct and the bank has it wrong," said Douglas Kantor, a lawyer at Steptoe & Johnson LLP in Washington who isn't involved in the litigation. "Merchants essentially live in fear that they will be crushed by the card companies and banks if there's ever a dispute, and therefore don't dispute most of these things."

Kantor is counsel to the Merchants Payments Coalition, a group of more than 100 trade associations.

Merchants critical

The McCombs aren't alone in criticizing payment-card industry, or PCI, rules, said Mallory B. Duncan, general counsel of the National Retail Federation in Washington.

"There's a suspicion among many merchants that PCI is a near scam wrapped in good intentions," Duncan said by phone from Washington. "The dissatisfaction with PCI and the financial consequences of it in the retail industry are rampant."

The McCombs are in litigation against Elavon Inc., an Atlanta-based payment-processing company, and US Bank. Both are units of US Bancorp, Minnesota's largest bank.


US Bancorp is a middleman in Cisero's credit business, out of sight of customers who may be aware only of Visa, MasterCard and the banks that issue the cards. Worldwide spending on Visa debit and credit cards in the quarter ended Sept. 30 was $970 billion. Worldwide spending on MasterCard- and Maestro-branded cards was $469 billion.

More than 8 million U.S. merchants accept Visa and MasterCard, said David Boies, an attorney for American Express Co., according to a company transcript of an October 2010 conference call with analysts and reporters.

As the so-called acquiring bank, US Bank provided Cisero's with access to payment networks and maintained an account from which it paid the restaurant for credit-card purchases, the McCombs said. Elavon processed the payments.

The McCombs countersued in August after US Bancorp sued them for $82,692 in fines imposed by Visa and MasterCard.

Teri Charest, a spokeswoman for US Bancorp, said in an email that the bank denied any liability and will fight the lawsuit.

Film festival

The restaurant, decorated in earth colors, has high-back upholstered booths in the dining room and a club with dancing in the basement. The pasta is made from scratch.

Customers during the Sundance Film Festival have included actors Russell Crowe, Ben Kingsley and Sandra Bullock as well as Robert Redford, said Stephen McComb.

US Bancorp told Cissy McComb in March 2008 that credit cards used at the restaurant may have been fraudulently used elsewhere, according to court papers. It was the first she learned of the card networks' latest rules, Cissy McComb said.

"We find ourselves in a position to do nothing but defend ourselves and try to change the way merchants are treated," she said.

Visa and MasterCard require the merchant to hire an approved forensic examiner to investigate if an "account data compromise" event occurred when they determine there may have been a breach.

After the networks said cards fraudulently used in the area had been used at Cisero's, the restaurant had separate investigations done by two examiners. They showed that no one hacked into the restaurant's computers, the McCombs said in court papers.

Customer data

Unknown to them, data on 8,107 customers' accounts had been stored in their computer system, they said. That was fewer than the 10,000 threshold for a fine to be imposed under Visa's rules that certain customer data shouldn't be stored on a merchant's computer, they said.

Visa later said 32,581 accounts were on Cisero's computer, without explaining how it got that number, according to the McCombs.

MasterCard and Visa said Cisero's violated their security standards. They fined US Bancorp, which is seeking to recoup the money from the restaurant in its lawsuit.

Visa decided the "actual fraud" was $1.26 million and calculated Cisero's total liability for noncompliance at $1.33 million, according to court papers. The restaurant's "total pre-cap liability" was put at $511,513, the couple said in court papers, and ultimately Visa said Cisero's owed $55,000.

"These various shifting numbers based on unexplained calculations" show that the "process is little more than a scheme to extract steep financial penalties from small merchants," Cisero's said in court papers.

Fraudulent cards

MasterCard said it could assess $100,000 against the restaurant but was imposing only $15,000, they said. The card company later added $13,850 in loss claims by issuing banks based on fraudulent cards supposedly made with data stolen from Cisero's system, the McCombs said.

The couple denied any data was stolen from their system and "were never given a meaningful opportunity to provide evidence," they said.

Denise Dunckel, a spokeswoman for San Francisco-based Visa, and James Issokson, a spokesman for Purchase, New York-based MasterCard, declined to comment on the lawsuit. Their companies aren't defendants in the case.

In September 2008, the McCombs found that US Bancorp was taking money from its account, they said, with deductions eventually reaching $10,172. To prevent further seizures, they closed the account and found a new bank and processor, they said.

Unauthorized charges

"It was at the end of the month and we had to pay our payroll," Cissy McComb said. "Elavon was taking every dollar out of the account."

US Bancorp sued to recoup the $82,692 it said it was owed and the restaurant refused to pay after it "failed to secure and keep safe the credit-card information of individuals who made charges at Cisero's," the bank said.

"Unauthorized charges were made on some credit cards which had previously been used to make purchases at Cisero's," US Bancorp said in its complaint.

In its countersuit, Cisero's asked for the withdrawn money and damages for loss to reputation and emotional distress for Cissy McComb. Under contract law, US Bancorp isn't allowed to impose fines, the McCombs said in court papers.

Contributing: Shelley Osterloh