A recent bombshell lawsuit by The Home Depot alleges patterns of antitrust violations, illegal collusion, and anti-competitive conduct by the Visa and MasterCard credit card networks. The suit arises in a climate in which the networks are increasingly under attack by retailers, and in which The Home Depot is embroiled in extensive litigation stemming from a massive 2014 breach of customer data. Finally, for consumers concerned with payment card security, the suit highlights potential weaknesses in some U.S. payment card technologies – particularly when compared to systems widely used overseas.
The Home Depot’s Lawsuit and Allegations
On Monday June 13, 2016, The Home Depot filed a 138-page complaint against Visa and MasterCard alleging the credit card behemoths engaged in collusion and price fixing to delay implementation of effective chip-and-PIN security technology in payment cards in the United States. As alleged in the Complaint, the use of Personal Identification Number (“PIN”) verification along with “EMV” chips (“chip-and-PIN”) has been used widely used in Europe since the mid-1990s “to make credit and debit card transactions safer and less prone to fraud.”
As the Complaint explains, the chip alone offers protection from some types of payment card fraud – such as card counterfeiting – because the EMV chip, unlike its magnetic strip predecessors, creates a unique transaction code for each purchase which can never be used again. However, because EMV chips alone do not prevent certain types of fraud – including misuse of lost or stolen cards or card information and in so-called “card-not-present” transactions (such as internet purchases) – it is ideally combined with measures, such as PIN authentication, that prevent fraudulent use of the account when the chip is not present or in the possession of someone other than an authorized user.
This is a textbook example of two-factor authentication – combining something you have (the chip) with something you know (the PIN). Despite widespread adoption abroad – and increased use of chip technology in the United States – The Home Depot asserts that Visa and MasterCard continue to encourage use of signature (as opposed to PIN) authorization even though “chip-and-PIN verification provides far greater security than signature authentication.” It also notes that signatures are typically not verified during those transactions.
While many of The Home Depot’s technical allegations are largely unremarkable – after all, card chip technology offers clear security benefits over static data strips, and PIN authentication is clearly more secure than unverified signatures – the meat of the Complaint is in the “why and how” it alleges the defendants delayed chip-and-PIN technology in the U.S. As the Complaint alleges, running transactions through PIN network is not only more secure for consumers and retailers, but also less expensive because many payment processors offering PIN transactions charge fees well below Visa and MasterCard. However, “for years, Visa and MasterCard have successfully avoided having banks issue credit cards allowing for PIN authorization.” Instead, “in the United States, each credit card has only a single network installed on a card,” through which the defendant card networks charge fees often exceeding those charged by other PIN networks. The Home Depot argues that “[t]he single-network-per-card structure in the credit card market is not a coincidence — it is the result of explicit agreements among Visa and MasterCard.”
Specifically, The Home Depot alleges that Visa and MasterCard engaged in a pattern of anticompetitive activities to protect their “highly profitable businesses that rest on preventing competition from rival PIN networks.” The alleged antitrust violations include (1) “engaging in anticompetitive agreements … to adopt, impose, and enforce a system of rules and practices that require the payment of an interchange fee on every transaction conducted through the Visa and MasterCard networks and to adopt, impose, and enforce the use of ‘default’ levels of those fees”; (2) price-fixing of interchange fees to avoid “competing for merchant acceptance on the open market”; and (3) artificially inflating prices that “The Home Depot and other merchants pay to accept Visa- and MasterCard-branded payment cards.”
Per the Complaint, Congress attempted to “bring more competition to the market” in July 2010 with the passage of the Durbin Amendment, which provided that one network (such as Visa) “could not be both the signature debit option on the front of the card and the only PIN debit option on the back of the card” and further “capped the interchange fees that could be charged on many signature debit transactions.” However, Visa and MasterCard allegedly responded – “in direct coordination with each other,” according to the suit – by charging punitive fees to issuing banks that saw significant shifts in business from defendants’ networks to competing PIN options.
The Factual and Legal Backdrop
High stakes litigation never occurs in a vacuum – and this clash of giants is no exception. Indeed, the allegations share similarities to those recently lodged by retail powerhouse Wal-Mart against Visa in the Supreme Court of New York. Additionally, The Wall Street Journal reports that The Home Depot opted out of a 2013 settlement of a similar lawsuit – filed by hundreds of retailers – valued at $7.25 billion. Thus, The Home Depot does not appear to be alone in its frustration with the defendant credit card networks.
Moreover, it is notable that this suit comes on the heels of The Home Depot’s significant set-back in payment card data breach litigation stemming from a 2014 data breach that compromised the payment card data of approximately 56 million customers. The DIY giant had moved to have claims by a group of impacted banks and credit unions dismissed in their entirety on standing grounds – a tactic that has been successful in defeating retail data breach class actions in many jurisdictions following the U.S. Supreme Court’s holding in Clapper v. Amnesty International USA that threats of future injury must be “certainly impending” to convey Article III standing. Just last month, the Honorable Judge Thomas Thrash of the U.S. District Court for the Northern District of Georgia expressly rejected The Home Depot’s standing defense, finding “the banks have pleaded actual injury in the form of costs to cancel and reissue cards compromised in the data breach, costs to refund fraudulent charges, costs to investigate fraudulent charges, costs for customer fraud monitoring, and costs due to lost interest and transaction fees due to reduced card usage.” As the Court explained, these injuries “are not speculative and are not threatened future injuries [as implicated by Clapper], but are actual, current, monetary damages.”
Although a denial of a motion to dismiss is merely a threshold victory, it is a critical first step towards class certification by banks and credit unions. If certified, the resulting class would share many similarities with the only other retail data breach class certified to-date – a class of financial institutions impacted by the 2013 Target data breach. Moreover, The Home Depot already agreed to pay over $21 million to resolve consumer claims arising from this same breach. Thus, while the suit against Visa and MasterCard may not be directly connected to the ongoing data breach litigation, it is emblematic of a climate in which The Home Depot – and other large retailers – are increasingly concerned with payment card security, as they tend to be left holding the bag when security is breached.
What’s at Stake – for Litigants and Consumers?
This war has two fronts – and no clear victors. First, and most obviously, there is the legal dispute between The Home Depot and defendants Visa and MasterCard over the big-box retailer’s various antitrust and unfair competition claims. Those claims will likely be vigorously litigated – and the stakes are potentially enormous. Although the suit does not pray for a sum certain, it seeks treble damages and notes that “The Home Depot’s bank-card acceptance costs are nearly $750 million per year as of 2015.” However, in light of the credit card companies’ prior multi-billion dollar settlement of similar claims, an out-of-court resolution is not out of the question.
The second front is technological – will the chip and signature standard (which has only been recently adopted by many U.S. consumers) eventually be overtaken by the chip and PIN technology favored elsewhere? While the latter is certainly more “secure,” the heart of this question implicates a number of larger issues unlikely to be resolved by the subject lawsuit, including tensions between security and convenience of competing systems, the allocation of costs associated with implementing new technologies, and whether emerging innovations – such as various competing payment apps and smart phone payment systems – could provide solutions safe, convenient, and inexpensive enough to challenge payment card dominance.