The opinion of the court was delivered by: William W. Caldwell United States District Judge
The plaintiff, Pennsylvania State Employees Credit Union (PSECU), participates in the Visa bank-card system. PSECU filed this lawsuit seeking damages represented by the costs of replacing Visa cards that had been "compromised" by a theft of bank-card numbers from computer files maintained by defendant, BJ's Wholesale Club, Inc., a wholesale club retailer. In addition to BJ's, PSECU sued Fifth Third Bank, the bank that processes card transactions for BJ's. In an amended complaint, the two defendants were each sued for breach of contract, negligence, equitable indemnification, and unjust enrichment. The basis of the action was that BJ's improperly retained cardholder data after a retail transaction had been completed, rather than keep the data only for the time necessary to complete the transaction, in violation of Visa rules.
The defendants filed motions to dismiss. By memorandum and order of October 18, 2005, we dismissed all four counts against BJ's and three of the counts against Fifth Third, leaving only the contract claim alive against the latter defendant. See Pennsylvania State Employees Credit Union v. Fifth Third Bank, 398 F. Supp. 2d 317 (M.D. Pa. 2005).
Fifth Third filed a motion for reconsideration, renewing its attempt to have the contract claim dismissed. This claim is based on the theory that PSECU is a third-party beneficiary of Fifth Third's member agreement with Visa, which required Fifth Third to ensure that BJ's complied with the Visa Operating Regulations, one of which prohibited retailers from retaining cardholder information.
The crucial issue in deciding the validity of the contract claim is whether the parties to the member agreement, Visa and Fifth Third, had the intent or purpose to benefit PSECU when they made the agreement. In response to Fifth Third's motion for reconsideration, PSECU suggested that discovery on this issue would be appropriate. We agreed, after deciding that third-party-beneficiary analysis sometimes takes into account matters outside the contract and that the issue should be resolved by way of summary judgment. We therefore gave the parties some time to conduct discovery on the "purpose" or "intent to benefit" issue related to the third-party-beneficiary claim. Discovery has been completed, and the parties have filed briefs on the issue of granting summary judgment to Fifth Third on the contract claim.
Fifth Third makes the following arguments against third-party-beneficiary status for PSECU: (1) both Visa and Fifth Third intended the member agreement to benefit the Visa System as a whole, and not individual participants in the system, thus making the individual members like PSECU merely incidental beneficiaries who are not entitled to enforce Fifth Third's member agreement with Visa; (2) Visa's Compliance Procedures, and Visa's enforcement of those procedures and imposition of fines, support denial of third-party beneficiary status; (3) the existence of the Operating Regulations refutes any inference that Visa intended to create third-party beneficiary rights under its membership contract; (4) PSECU is improperly claiming greater rights as a third-party beneficiary than is allowed under its own member agreement, even if it is a third-party beneficiary; and (5) recognition of third-party contract rights would create havoc in the Visa System and threaten the integrity of the payment system.
We find merit in the first argument, so we need not address the others. The facts supporting our ruling are mainly found in subsection E of section III, the "Background" section below, but for context we will set forth the facts relevant to the other arguments.
In deciding whether summary judgment is appropriate, we "must view the facts and any reasonable inferences drawn therefrom in the light most favorable to the party opposing summary judgment." In re Flat Glass Antitrust Litig., 385 F.3d 350, 357 (3d Cir. 2004)(quoted case omitted). "Summary judgment is appropriate where there are no genuine issues of material fact and the moving party is entitled to judgment as a matter of law. See Fed. R. Civ. P. 56." P.N. v. Clementon Bd. of Educ., 442 F.3d 848, 852 (3d Cir. 2006). The party opposing summary judgment must present evidence that is more than a scintilla but can be less than a preponderance. Saldana v. Kmart Corp., 260 F.3d 228, 232 (3d Cir. 2001). It must present sufficient evidence that a reasonable jury can find in its favor. In re CitX Corp., Inc., F.3d , , 2006 WL 1453117 at *3 (3d Cir. 2006).
The following is a fair statement of the background relevant to summary judgment.*fn1 Visa U.S.A. Inc. is a corporation, made up of an association of financial institutions, which operates a credit-card payment system. The "member" financial institutions are either "issuers" or "acquirers." An "issuer" is a financial institution that issues Visa-brand cards to customers who use the cards in consumer transactions. An "acquirer" processes transactions made with those cards on behalf of "merchants," businesses that agree to accept Visa cards in retail transactions.
PSECU is an issuer. Fifth Third is an acquirer; it processes Visa card transactions on behalf of BJ's, a merchant.
A. BJ's Compromise-The Breach of BJ's Computer Files
In February 2004, Visa identified a potential compromise with respect to certain Visa cards that had been used at BJ's. Visa issued an alert to issuers, known as a CAMS alert, notifying them of accounts potentially at risk because they were used at BJ's during the period of possible compromise, which was identified as July 2003 through February 2004.
Generally, a CAMS alert is a notification Visa issues that there may have been exposure of consumer data at a particular merchant or processor and is intended to provide issuers with as much information as Visa can gather about accounts that may have been exposed to a compromise. A CAMS alert does not signify that there is clear evidence that any particular account has been compromised, just that it may have been. An issuer has discretion as to how to manage a response to a CAMS alert; it may monitor those accounts, reissue cards, or take other measures.
If cardholder data is used fraudulently, the issuer must reimburse the cardholder's account and bear the initial burden of fraud losses. The issuer's replacement of a compromised Visa card is an operational expense to the issuer.
B. The Operating Regulations
Visa has "Operating Regulations" that govern members' participation in the Visa system. In addition to the Operating Regulations, Visa has a set of requirements designed to preserve the security of cardholder data called the Cardholder Information Security Program ("CISP"). Both the CISP and Operating Regulations prohibit merchants from retaining and storing the magnetic-stripe data from Visa cards after a transaction.
Visa's Board of Directors has the authority to adopt or amend the Operating Regulations. The Regulations are comprehensive, addressing virtually every area of administering the payment system, such as: (i) requirements that all members must follow, including license of the Visa brand; (ii) general security requirements; (iii) requirements for card issuance; (iv) requirements for acquirers with respect to merchant agreements and interchange reimbursement fees; (v) requirements for card acceptance by merchants; (vi) requirements for payment processing, including authorization, clearing and settlement;*fn2 (vii) chargeback and representment rights; (viii) specific fees and charges applicable to members' and processors' procedures for their collection and disbursement; (ix) Visa cards and Visa marks specifications; and (x) dispute resolution.
According to Visa's Fed. R. Civ. P. 30(b)(6) corporate representative:
It's important for Visa, as an association among thousands of members, to develop a common set of rules, requirements, and procedures that would apply to the membership as a whole in order to achieve [its] goals ... in terms of providing a competitive payment service and delivering value to all the stakeholders in a way that would maximize participation in the system, reduce risks to participants in the system, support the value of the Visa brand and the brand strength, and develop the underlying processing systems that support the transactions. (Doc. 97, Alex Miller deposition, p. 95).
Visa's representative also testified that: Its fair to say that the core purpose of the Operating Regulations is to set up the conditions for participation in the system, to set up the rules and standards that apply to that[,] ultimately for the benefit of the Visa payment system, the members that participate in it and other stakeholders such as cardholders, merchants, and others who may participate in the system as well.
Visa has invested enormous time and effort in developing, modifying, interpreting, and enforcing its Operating Regulations. In fact, Visa publishes updated versions of the Operating Regulations twice yearly because it "is constantly encountering new opportunities, new challenges, new issues, and the rules need to . . . track whatever the current environment is to address those problems and opportunities." (Id., pp. 96-97).
The Operating Regulations attempt to balance the interests of the various participants in the Visa system. According to Visa's representative:
The Visa system only operates to its maximum capacity if you are balancing the various interests of participants in the system properly for the allocation of risks, of opportunities, of other characteristics, yes, there's a balancing that goes on that is inherent in the -- in the rules. (Id., p. 101).
C. Dispute Resolution Under the Operating Regulations
Section 1.6 of the Operating Regulations, entitled Enforcement, sets out procedures and is the means by which Visa enforces compliance with its membership contracts with respect to violations of the Operating Regulations. Under Section 1.6, Visa levies fines and penalties against members that Visa has found to be non-complying. Section 1.6 also contains other measures aimed at remediation of violations. Section 1.6 further provides that a member found to have been non-complying may appeal its fine to the Visa Board of Directors and that the decision of the Board on appeal "is final and not subject to any challenge."
The Operating Regulations provide a scheme for resolving disputes between members arising out of violations of the Operating Regulations and participation in the Visa system. The Visa representative testified that Visa promotes the use of the dispute-resolution procedures and designs those rules to: facilitate efficient, expedited dispute resolutions among members . . . that ultimately helps support the value of Visa and the payment services to the participants . . .
[b]y providing relatively efficient . . . and expedited mechanisms for resolving disputes rather than having disputes decided through lengthy procedures over which Visa has no role or control. (Doc. 97, p. 139).
The dispute-resolution provisions are contained in a separate volume of the Operating Regulations consisting of roughly 800 pages and divided into three distinct procedures: Dispute Resolution, Arbitration, and Compliance.
Both the dispute-resolution and arbitration provisions of the Operating Regulations govern the determination of rights and responsibilities of members in the context of disputed chargebacks or representments. Chargeback and representment rights arise under the rules under certain circumstances, and, in essence, provide mechanisms for reversing a payment transaction, thereby shifting a loss or cost to another participant within the Visa system.
When a member has no chargeback or representment right, but there has been a violation of an Operating Regulation, it may file a "Compliance" action against another member if the filing member incurred or will incur a direct financial loss as a result of the violation and the member would not have incurred the loss had the violation ...