JPMorgan Chase Bank and its merchant-acquiring affiliate Paymentech have filed a breach-of-contract suit against restaurant operator and Paymentech merchant Landry’s Inc. seeking to recover $20 million in fines from Visa Inc. and Mastercard Inc. stemming from a 2014-15 data breach at dozens of Landry’s properties.
The bank and processor, collectively called Chase Payment in the suit filed last week in federal court in Houston, say that under the merchant-processing contract with Landry’s, the restaurant operator is responsible for paying any fines from a data breach, dubbed assessments in card-industry parlance. Under standard industry practice, the acquirer is technically liable for assessments resulting from a breach, but passes on the expense to the responsible merchant. The assessments are meant to cover affected card issuers’ costs, including fraud and card-reissuance expenses.
Houston-based Landry’s owns and operates more than 600 restaurants under brands that include Landry’s Seafood, Chart House, Saltgrass Steak House, Bubba Gump Shrimp Co., Claim Jumper, Morton’s The Steakhouse, McCormick & Schmick’s, Mastro’s Restaurants, and Rainforest Cafe. The company denies it has any liability to Paymentech or Chase Bank, both subsidiaries of JPMorgan Chase & Co., and calls the networks’ imposition of assessments an “unlawful practice.”
The lawsuit stems from a payment card compromise at dozens of Landry locations in multiple states that Paymentech discovered on Dec. 2, 2015, according to the civil complaint. The breach affected “millions of credit card accounts” and happened in three periods between May 2014 and into December 2015, the complaint says. Some 14 Landry’s brands were affected, including Bubba Gump, McCormick & Schmick’s, Rainforest Café, and Saltgrass restaurants, plus some Landry’s-owned Golden Nugget Hotel and Casino locations.
Landry’s announced the breach in a Dec. 17, 2015, press release that noted some customers had reported unauthorized charges on their cards. Fraudsters planted malware on point-of-sale terminals that compromised magnetic-stripe data such as cardholder names, card numbers, expiration dates, and verification codes, according to a later Landry’s press release.
The card networks commenced investigations, resulting in assessments to Paymentech of $12.6 million from Visa and $10.5 million from Mastercard, according to the complaint. Landry’s balked at paying them, and Paymentech appealed both at the merchant’s request. Visa denied the appeal on Jan. 31, 2018, saying Landry’s was in violation of multiple PCI Security Standards Council data-security standard rules, and added $50,000 to the assessment to cover appeal costs.
A few weeks later, Mastercard also concluded Landry’s had failed to comply with PCI rules but reduced the fine by $3.16 million for a final assessment of $7.38 million, the complaint says.
Chase Paymentech says it then demanded Landry’s indemnify it for the $20 million that it had been debited by Visa and Mastercard. “Despite its obligation under the [merchant] agreement, Landry’s baldly refused” to do so, the complaint says.
In an emailed statement, L
“Since Chase Paymentech’s business model relies entirely on [the Visa and Mastercard brands] … Chase Paymentech would rather capitulate to the demands of the powerful credit card brands than stand up for its merchants by taking action to challenge Visa’s and MasterCard’s unlawful practice in imposing these assessments,” the statement says.
A Chase spokesperson declined to comment beyond the lawsuit.