IN THE UNITED STATES DISTRICT COURT FOR THE MIDDLE DISTRICT OF PENNSYLVANIA
June 16, 2006
SOVEREIGN BANK, PLAINTIFF
BJ'S WHOLESALE CLUB, INC., FIFTH THIRD BANKCORP. DEFENDANTS
The opinion of the court was delivered by: William W. Caldwell United States District Judge
Plaintiff, Sovereign Bank, filed this lawsuit against defendants, BJ's Wholesale Club, Inc., a wholesale club retailer, and Fifth Third Bank, after Sovereign incurred losses when its customers' Visa card numbers were stolen from a BJ's computer file. The cardholder information had been improperly retained in BJ's records. The losses were mainly for the cost of issuing new credit cards to replace the ones that had been compromised by the theft and for the cost of reimbursing those cardholders who had suffered unauthorized charges to their accounts.
We previously resolved the defendants' motions to dismiss the original complaint, see Sovereign Bank v. BJ's Wholesale Club, Inc., 395 F. Supp. 2d 183 (M.D. Pa. 2005), and their motions to dismiss the amended complaint, F. Supp. 2d , 2006 WL 1000058 (M.D. Pa. 2006). Our rulings have let BJ's out of the case, but we have allowed the contract claim to proceed against Fifth Third.
Fifth Third has filed a motion for reconsideration, renewing its attempt to have the contract claim dismissed. The contract claim is based on the theory that Sovereign is a third-party beneficiary of Fifth Third's member agreement with Visa, which required Fifth Third to ensure that BJ's complied with the Visa Operating Regulations, one of which prohibited retailers from retaining cardholder information. The crucial issue in deciding the validity of the contract claim is whether the parties to the member agreement, Visa and Fifth Third, had the intent or purpose to benefit Sovereign when they made the agreement.
We decided that third-party-beneficiary analysis sometimes takes into account matters outside the contract and that the issue should be resolved by way of summary judgment. We therefore gave the parties some time to conduct discovery on the "purpose" or "intent to benefit" issue related to the third-party-beneficiary claim. Discovery has been completed, and the parties have filed briefs on the issue of granting summary judgment to Fifth Third on the contract claim.
Fifth Third makes the following arguments against third-party-beneficiary status for Sovereign: (1) Visa intended the member agreement to benefit the Visa System as a whole, and not individual participants in the system, thus making the individual members like Sovereign merely incidental beneficiaries who are not entitled to enforce Fifth Third's member agreement with Visa; (2) the Visa Compliance Procedures, and Visa's enforcement of those procedures and imposition of fines, support denial of third-party beneficiary status; (3) the existence of the Operating Regulations refutes any inference that Visa intended to create third-party beneficiary rights under its membership contract; and (4) recognition of third-party contract rights would create havoc in the Visa System and threaten its integrity.
We find merit in the first argument, so we need not address the others. The facts supporting our ruling are mainly found in subsection E of section III, the "Background" section below, but for context we will set forth the facts relevant to the other arguments.
II. Standard of Review
In deciding whether summary judgment is appropriate, we "must view the facts and any reasonable inferences drawn therefrom in the light most favorable to the party opposing summary judgment." In re Flat Glass Antitrust Litig., 385 F.3d 350, 357 (3d Cir. 2004)(quoted case omitted). "Summary judgment is appropriate where there are no genuine issues of material fact and the moving party is entitled to judgment as a matter of law. See Fed. R. Civ. P. 56." P.N. v. Clementon Bd. of Educ., 442 F.3d 848, 852 (3d Cir. 2006). The party opposing summary judgment must present evidence that is more than a scintilla but can be less than a preponderance. Saldana v. Kmart Corp., 260 F.3d 228, 232 (3d Cir. 2001).*fn1 It must present sufficient evidence that a reasonable jury can find in its favor. In re CitX Corp., Inc., F.3d , , 2006 WL 1453117 at *3 (3d Cir. 2006).
The following is a fair statement of the background relevant to summary judgment.*fn2 Visa U.S.A. Inc. is a corporation, made up of an association of financial institutions, which operates a credit-card payment system. The "member" financial institutions are either "issuers" or "acquirers." An "issuer" is a financial institution that issues Visa-brand cards to customers who use the cards in consumer transactions. An "acquirer" processes transactions made with those cards on behalf of "merchants," businesses that agree to accept Visa cards in retail transactions.
Sovereign is an issuer. Fifth Third is an acquirer; it processes Visa card transactions on behalf of BJ's, a merchant.
A. BJ's Compromise--The Breach of BJ's Computer Files
In February 2004, Visa identified a potential compromise with respect to certain Visa cards that had been used at BJ's. Visa issued an alert to issuers, known as a CAMS alert, notifying them of accounts potentially at risk because they were used at BJ's during the period of possible compromise, which was identified as July 2003 through February 2004.
A CAMS alert is generally a notification Visa issues that there may have been exposure of consumer data at a particular merchant or processor and is intended to provide issuers with as much information as Visa can gather about accounts that may have been exposed to a compromise. A CAMS alert does not signify that there is clear evidence that any particular account has been compromised, just that it may have been. An issuer has discretion as to how to manage a response to a CAMS alert; it may monitor those accounts, reissue cards, or take other measures.
If cardholder data is used fraudulently, the issuer must reimburse the cardholder's account and bear the initial burden of fraud losses. The issuer's replacement of a compromised Visa card is an operational expense to the issuer.
B. The Operating Regulations
Visa has "Operating Regulations" that govern members' participation in the Visa system. In addition to the Operating Regulations, Visa has a set of requirements designed to preserve the security of cardholder data called the Cardholder Information Security Program ("CISP"). Both the CISP and Operating Regulations prohibit merchants from retaining and storing the magnetic-stripe data from Visa cards after a transaction.
Visa's Board of Directors has the authority to adopt or amend the Operating Regulations. The Regulations are comprehensive, addressing virtually every area of administering the payment system, such as: (i) requirements that all members must follow, including license of the Visa brand; (ii) general security requirements; (iii) requirements for card issuance; (iv) requirements for acquirers with respect to merchant agreements and interchange reimbursement fees; (v) requirements for card acceptance by merchants; (vi) requirements for payment processing, including authorization, clearing and settlement; (vii) chargeback and representment rights;*fn3 (viii) specific fees and charges applicable to members' and processors' procedures for their collection and disbursement; (ix) Visa cards and Visa marks specifications; and (x) dispute resolution.
According to Visa's Fed. R. Civ. P. 30(b)(6) corporate representative:
It's important for Visa, as an association among thousands of members, to develop a common set of rules, requirements, and procedures that would apply to the membership as a whole in order to achieve [its] goals ... in terms of providing a competitive payment service and delivering value to all the stakeholders in a way that would maximize participation in the system, reduce risks to participants in the system, support the value of the Visa brand and the brand strength, and develop the underlying processing systems that support the transactions. (Doc. 52, Alex Miller deposition, p. 95).
Visa's representative also testified that: Its fair to say that the core purpose of the Operating Regulations is to set up the conditions for participation in the system, to set up the rules and standards that apply to that[,] ultimately for the benefit of the Visa payment system, the members that participate in it and other stakeholders such as cardholders, merchants, and others who may participate in the system as well. (Id., p. 100).*fn4 In response to Fifth Third's follow-up question that "they" (meaning the entities named) might "have some incidental benefit" from the Operating Regulations, the representative stated:
The bylaws and operating regulations, by their terms, apply only to members. So to the extent you mean they might have benefits beyond the rules that apply to other stakeholders, that's correct. They're [meaning the other stakeholders] not directly parties to these rules. (Id., pp. 100-01)(brackets added).
Visa has invested enormous time and effort in developing, modifying, interpreting, and enforcing its Operating Regulations. In fact, Visa publishes updated versions of the Operating Regulations twice yearly because it "is constantly encountering new opportunities, new challenges, new issues, and the rules need to . . . track whatever the current environment is to address those problems and opportunities." (Id., pp. 96-97).*fn5
The Operating Regulations attempt to balance the interests of the various participants in the Visa system. According to Visa's representative:
The Visa system only operates to its maximum capacity if you are balancing the various interests of participants in the system properly for the allocation of risks, of opportunities, of other characteristics, yes, there's a balancing that goes on that is inherent in the -- in the rules. (Id., p. 101).
C. Dispute Resolution Under the Operating Regulations
Section 1.6 of the Operating Regulations, entitled Enforcement, sets out procedures and is the means by which Visa enforces compliance with its membership contracts with respect to violations of the Operating Regulations. Under Section 1.6, Visa levies fines and penalties against members that Visa has found to be non-complying. Section 1.6 also contains other measures aimed at remediation of violations. Section 1.6 further provides that a member found to have been non-complying may appeal its fine to the Visa Board of Directors and that the decision of the Board on appeal "is final and not subject to any challenge."
The Operating Regulations provide a scheme for resolving disputes between members arising out of violations of the Operating Regulations and participation in the Visa system. The Visa representative testified that Visa promotes the use of thee dispute resolution procedures and designs those rules to: facilitate efficient, expedited dispute resolutions among members ... that ultimately helps support the value of Visa and the payment services to the participants ... [b]y providing relatively efficient . . . and expedited mechanisms for resolving disputes rather than having disputes decided through lengthy procedures over which Visa has no role or control." (Doc. 52, p. 139).
The dispute resolution provisions are contained in a separate volume of the Operating Regulations consisting of roughly 800 pages and divided into three distinct procedures: Dispute Resolution, Arbitration, and Compliance.
Both the Dispute Resolution and Arbitration provisions of the Operating Regulations govern the determination of rights and responsibilities of members in the context of disputed chargebacks or representments. Chargeback and representment rights arise under the rules under certain circumstances, and, in essence, provide mechanisms for reversing a payment transaction, thereby shifting a loss or cost to another participant within the Visa system.
When a member has no chargeback or representment right, but there has been a violation of an Operating Regulation, it may file a "Compliance" action against another member if the filing member incurred or will incur a direct financial loss as a result of the violation and the member would not have incurred the loss had the violation not occurred. The purpose of Compliance is to shift a loss from one member to another.
Visa sets forth a number of procedures that members must follow in order to initiate a Compliance action. The Operating Regulations specify that the complaining member must initiate "pre-Compliance" and attempt to resolve the dispute with the other member prior to filing a Compliance action. Section 3.3A. The Operating Regulations further specify requirements for the time of filing, necessary documentation, and filing fees. Section 3.4.B.
Visa reserves the right through its Compliance Committee to determine whether or not a violation of the Operating Regulations has occurred and whether the request for Compliance is valid. Based on the Operating Regulations in force at the time of the transaction and the information submitted in support of the Compliance action, Visa issues a decision, which is final and binding, subject only to the limited right of appeal provided by the Operating Regulations.
As noted by the Visa representative, Visa is in a "position to equitably allocate loss and risks among members, and it reserves to itself the right to determine violations and, under the Compliance process, make determinations of loss shifting and so forth under [the] regulations." (Doc. 52, p. 194).
The compliance process does not provide issuers a means to recover "operational costs." Those costs include card replacement costs, one of the items of damages Sovereign seeks to recover here. An issuer's cancellation and reissuance of compromised Visa cards prevents further fraud losses and protects the acquirer from the consequences of its breach, but the Visa System does not provide any mechanism for issuers to recover the costs associated with that card replacement. Still, the issuer can recover compensation for "fraud losses" from an acquirer through Visa's compliance system, meaning losses incurred by the fraudulent use of a compromised card. The Visa representative testified that he had a "general understanding" that the omission of operational costs from recovery in the compliance process was a business decision made as part of its analysis of the proper allocation of responsibility, costs and risks for participants in the Visa system.
A forensic investigation of BJ's systems subsequently revealed that BJ's credit-card processing system, improperly stored full magnetic-stripe data. As a result of the storage of this data, a number of issuers have filed a total of 2,739 pre-Compliance and Compliance cases against Fifth Third in accordance with the procedures set forth in the Operating Regulations. Through the Compliance process, Visa exercised its right under the Operating Regulations to reallocate certain fraud losses by assessing those losses to Fifth Third, thereby relieving some issuers of those losses. In all, Visa has awarded and Fifth Third has paid a total of $872,664 to date to issuers for BJ's related Compliance cases, and Pre-Compliance and Compliance cases continue to be filed on an ongoing basis.
Moreover, Visa exercised additional rights under the Fifth Third Contract and took enforcement action pursuant to Section 1.6 of the Operating Regulations. In November 2004, Visa levied and collected $555,000 in fines and penalties against Fifth Third for violations of the Operating Regulations and CISP. Furthermore, Visa required remediation of the violation. Fifth Third paid these fines and penalties and took all actions necessary to remediate the compromise and comply with the Operating Regulations and its contract with Visa. Fines are not paid to issuers and do not compensate issuers for damages resulting from data compromise. (Pennsylvania State Employees Credit Union v. Fifth Third Bank, No. 1:CV-04-1554, doc. 97, at p. 187 (M.D. Pa.)).
D. Whether the Dispute Resolution Procedures Are Exclusive
CISP was created in 2001. A June 2001 summary explains why:
[T]he Cardholder Information Security Program was developed to help establish security procedures that protect cardholder information . . . Compliance with this program is vital in order to strengthen cardholder confidence in the security of electronic commerce. Members are responsible under the By-Laws for indemnifying Visa against losses and claims of third parties arising in connection with their Visa programs. (Doc. 58, Visa Dep., Ex. V-9, p. 3).
Bearing more directly on the issue of the exclusivity of the dispute-resolution procedures, the summary continued:
Also Members who are damaged by actions or omissions of other Members or Merchants may have recourse through legal remedies. These remedies do not fully compensate Visa and injured Members and may be costly and in many cases impractical to obtain. Additionally, monetary recoveries do not compensate for injuries to the Visa and Members' brands that are irreparable. Therefore, enforcement authority is proposed to augment existing recourse in order to avert Members' exposure to losses. Specifically, it is proposed that, effective immediately upon Board approval, the Operating Regulations be revised to specify the following fines for failure to comply . . . with the requirements of the Cardholder Information Security Program . . . It is also proposed that the Operating Regulations be revised to require Acquirers, no later than January 1, 2002, to specifically state in their Merchant agreements that compliance with the provisions of the Cardholder Information Security Program is a requirement. (Id.).
After the breach of BJ's computer system was discovered, Fifth Third submitted written questions to Visa regarding the compliance process. The fifth question was: "Can an issuer file a claim solely because the credit card number was on the CAMS audit?" The sixth question was: "If an issuer chooses to take no action based upon the alerts and subsequent fraud occurs, can the issuer file a pre-compliance case?"
Visa responded as follows:
For purposes of Visa's compliance process, the Issuer must prove that a financial loss has been incurred as a direct result of the violation and that the loss would not have occurred if the Operating Regulation was not violated . . . In addition, the compliance process is available to an Issuer only when no chargeback right exists for the disputed transaction. In addition, Issuers can seek to enforce any legal rights or remedies they may have outside the Visa compliance process. (Doc. 58, Visa Dep., Ex. V-10, p. 3) (emphasis added).
The Visa representative testified that a response like the one above is a suggestion to members that if they have legal rights outside the Visa compliance process, "the compliance process doesn't preclude them from seeking to assert those rights." (Doc. 52, p. 60).
The Compliance system, and the other dispute resolution procedures provided by the Operating Regulations, do not eliminate a member's right to pursue other legal remedies that may be available outside the Visa compliance system, for example a fraud or negligence claim. (Id., p. 61). Nor could the Visa representative recall if the dispute-resolution procedures preclude an issuer from recovering operational expenses, such as card replacement costs, through legal remedies. (Pennsylvania State Employees Credit Union v. Fifth Third Bank, No. 1:CV-04-1554, doc. 97, at p. 185 (M.D. Pa.)).
However, the representative was "not aware of an intent by Visa to create under its rules [i.e. Operating Regulations] direct rights of enforcement between" [members] . . . and he has never seen any document that would allow a member "to step into Visa's shoes under its contract with other members." (Doc. 52, p. 62).
E. Whether Visa Intended to Protect Issuers by an Acquirer's Promise To Ensure Data Security
Visa first prohibited the retention of magnetic-stripe data in 1993. In August 1993, in a document entitled "Retention of Magnetic-Stripe Data Prohibited," Visa stated:
To protect the Visa system and Issuers from the potential fraud exposure created by databases of magnetic-stripe information, Section 6.21 has been revised. Effective September 1, 1993, the retention or storage of magnetic-stripe data subsequent to the authorization of a transaction is prohibited. Acquirers are obligated to ensure that their merchants do not store the magnetic-stripe information from Visa Cards for any subsequent use. (Doc. 58, Visa Dep., Ex. V-5, first page) (emphasis added).
In May 2003, Visa placed on line a document entitled "Issuers and Acquirers Are At Risk When Magnetic-Stripe Data Is Stored." This document stated that CISP "was established to preclude a compromise that could lead to the duplication of valid magnetic-stripe data on counterfeit or altered cards," as such a data compromise "impacts Issuers, Acquirers, cardholder goodwill, and the integrity of the payment system." (Doc. 58, Ex. V-6, first page). To prevent such a compromise, issuers and acquirers must ensure that "their ATM processors, Merchants, and any other processors or third party service organizations do not retain full-track magnetic-stripe data." (Id.).
The Visa representative testified as to CISP's intent:
The purpose of the CISP program, as I understand it, is to maximize the value to the Visa system as a whole. That can include the protection of any entity that may be involved in the use or - or handling of cardholder data, so it's to protect a cardholder, the privacy of their information, to protect their confidence in using the Visa system, to protect issuers, to protect acquirers, to protect merchants; and by creating a system that protects cardholder data, generally it's to maximize the usage and value of the Visa payment system for all those participants. (Pennsylvania State Employees Credit Union v. Fifth Third Bank, No. 1:CV-04-1554, doc. 97, at p. 36 (M.D. Pa.))(emphasis added).
Upon further questioning, the Visa representative stated:
The part of your question I'm struggling with is to say whether that was the purpose or not. I think I summarized what the purpose was.
One of the entities that is impacted by the Cardholder Information Program is issuers, as well as acquirers, merchants and cardholders.
So my understanding was the purpose was not directed at any one of those entities but to maximize the value of the system in protecting cardholder information for all of the participants. (Doc. 52, p. 37). The representative added, "Issuers would be among the entities, along with the others I listed, that would benefit from robust protection of cardholder information." (Id.).
Later, in response to a question whether Visa had intended to give issuers the benefit of the acquirers' compliance with CISP, the Visa representative testified again:
Visa designed the CISP program to benefit the Visa system as a whole, to drive confidence in the integrity of the Visa system, to drive greater, greater efficiency, to drive cardholder security, and to do that from requirements that apply to all Visa members that designed ultimately to yield a more efficient system on behalf of all those participants. (Doc. 58, pp. 41-42).
In response to a follow-up question that an issuer would be one of those participants protected by CISP, the representative stated:
I think I tried to explain already the general purpose of the CISP program and the fact that if it's implemented properly, it's going to yield benefits to a number of different stakeholders in the system, including issuers, cardholders, acquirers, merchants, and Visa itself. (Doc. 52, p. 42).
The representative also testified that he was not aware of any Operating Regulation limiting issuers' rights to enforce agreements between Visa and acquirers as third-party beneficiaries to those agreements. (Id., p. 184).
Visa maintains that "[d]ata security applies to everyone in the payment system, as outlined in the Visa U.S.A. Operating Regulations." (Doc. 52, Tab B-28, Fifth Third-PSECU 000791). The general security requirements outlined in Section 2.3 of the Operating Regulations apply to both issuers and acquirers. Under Section 2.3, Visa retains the discretion to implement its security procedures with respect to a given participant in the Visa system, but states that it is not obligated to take any such action in order to protect any members, merchants, or cardholder from financial injury.
In addition to the security guidelines contained in the Operating Regulations themselves, Section 2.2M of the Operating Regulations incorporates the CISP program. Section 2.2M provides that "[a] Member must comply, and ensure that its Merchants and Agents comply" with the requirements of CISP. CISP applies to both issuers, such as Sovereign, and acquirers, such as Fifth Third. It is intended to protect cardholder data wherever it resides and "to build a culture of security that benefits all parties." (Doc. 52, Tab B-27). It protects all participants in the system by increasing confidence in the payment system and protecting valuable business reputations of merchants. Further, CISP, by protecting the integrity of the payment system, drives efficiency and maximizes participation, which benefits all stakeholders. (Id.).
Visa has published in chart form the benefits of CISP compliance for each class of stakeholder in the Visa system. FOR "Everyone" there is "Limited risk" and "More confidence in the payment industry." For a member, there is protection of its reputation. For a merchant or a service provider, there is "competitive edge gained," "increased revenue and improved bottom line," "positive image maintained," and protection of customers. For the "Industry," there is encouragement of "good security neighbors," and safeguarding of information. And for the consumer, there is "identity theft prevention." (Id.).
F. Members Are Bound by the Operating Regulations
Pursuant to their membership agreements with Visa, all members agree to be bound by the Operating Regulations as amended from time to time. Thus, Fifth Third's membership agreement with Visa requires that Fifth Third comply with the Operating Regulations, as amended.
In addition, the Operating Regulations require that an acquirer "ensure that its Merchants and Agents comply with the requirements of the CISP. The Operating Regulations also require that an acquirer include language in each contract with its merchants "which states that compliance with the provisions of the CISP is a requirement." (Pennsylvania State Employees Credit Union v. Fifth Third Bank, No. 1:CV-04-1554, doc. 97, Ex. V-3 (M.D. Pa.)). Thus, Fifth Third, as an acquirer, is obligated to ensure that its merchants, like BJ's, comply with the CISP and Operating Regulations.
A. Applicable Third-Party-Beneficiary Law
The only issue presented is whether Sovereign has a third-party-beneficiary claim against Fifth Third under Fifth Third's member agreement with Visa. As we have noted, resolution of that issue depends upon whether the parties to the member agreement, Visa and Fifth Third, had the intent or purpose to benefit Sovereign when they made the agreement.
This claim could present a choice between Ohio and Pennsylvania law, but both Ohio and Pennsylvania have adopted the Restatement (Second) of Contracts § 302 (1981) for determining third-party-beneficiary status. See Hill v. Sonitrol of Southwestern Ohio, Inc., 36 Ohio St.3d 36, 40, 521 N.E.2d 780, 784 (1988); Scarpitti v. Weborg, 530 Pa. 366, 370-71, 609 A.2d 147, 149-50 (1992). Further, the parties have cited Ohio and Pennsylvania cases on this issue, so we will not distinguish between the law of the two states.*fn6
Section 302(1) reads as follows:
(1) Unless otherwise agreed between promisor and promisee, a beneficiary of a promise is an intended beneficiary if recognition of a right to performance in the beneficiary is appropriate to effectuate the intentions of the parties and either
(a) the performance of the promise will satisfy an obligation of the promisee to pay money to the beneficiary; or
(b) the circumstances indicate that the promisee intends to give the beneficiary the benefit of the promised performance.
Restatement (Second) of Contracts § 302 (1981).
In this case, the promisor, Fifth Third, and the promisee Visa did not otherwise agree that Sovereign would not be a third-party beneficiary of the member agreement between Visa and Fifth Third. Additionally, subsection (a) is irrelevant here since the promisee Visa owes no money to Sovereign. Hence, Sovereign's third-party-beneficiary status will depend upon whether "recognition of a right to performance" in Sovereign "is appropriate to effectuate the intentions of" both Visa and Fifth Third in making the member agreement and whether "the circumstances indicate that" Visa (the promisee) "intend[ed] to give Sovereign "the benefit of the promised performance." See Trinova Corp. v. Pilkington Bros., P.L.C., 70 Ohio St.3d 271, 277, 638 N.E.2d 572, 576-77 (1994); Scarpitti, supra, 530 Pa. at 372-73, 609 A.2d at 150-51.
If Visa had no intent to benefit Sovereign, then Plaintiff is merely an incidental beneficiary of the agreement, not an intended one, and has no rights under the contract between Visa and Fifth Third. See Hill, supra, 36 Ohio St.3d at 40, 521 N.E.2d at 784-85. "The so-called 'intent to benefit' test provides that there must be evidence, on the part of the promisee, that he intended to directly benefit a third party, and not simply that some incidental benefit was conferred on an unrelated party by the promisee's actions under the contract. There must be evidence that the promisee assumed a duty to the third party." Trinova Corp., supra, 70 Ohio St.3d 277-78, 638 N.E.2d at 577.
B. Visa Intended Its Agreement With Fifth Third to Benefit the Visa System as a Whole, and Not Individual Participants in the System, Thus Making the Individual Members Like Sovereign Merely Incidental Beneficiaries Who Are Not Entitled to Enforce Fifth Third's Member Agreement With Visa
As noted, for Plaintiff to invoke third-party-beneficiary rights, the promisee Visa must have intended that Sovereign benefit from Fifth Third's member agreement with Visa. Fifth Third argues that Visa did not have that intention and relies on the following evidence.
First, the Visa representative testified that he was not aware that Visa intended to create a direct right of enforcement under the Operating Regulations between members and has never seen a document that would allow a member "to step into Visa's shoes under its contract with other members" to enforce the Operating Regulations. Second, the Visa representative also stated:
[T]he core purpose of the Operating Regulations is to set up the conditions for participation in the system, to set up the rules and standards that apply to that[,] ultimately for the benefit of the Visa payment system, the members that participate in it and other stakeholders such as cardholders, merchants, and others who may participate in the system as well. (Doc. 52, Alex Miller deposition, p. 100).*fn7 Fifth Third contends that this assertion by itself is enough to defeat Plaintiff's third-party-beneficiary claim.
In opposition, Sovereign argues that there is sufficient evidence that Visa did intend to benefit it, so Fifth Third is not entitled to summary judgment. Sovereign begins with the quotation above, arguing that Fifth Third has taken it from its context, that immediately before this testimony the Visa representative refused to accept Fifth Third's characterization of the Operating Regulations as only intending to benefit the Visa system as a whole and that the quotation actually shows that the Operating Regulations were intended to benefit not just the system but specific entities, with the Visa representative listing them as the "members" in the system "and other stakeholders such as cardholders, merchants, and others who may participate in the system as well." (Id., p. 100). Further, Sovereign argues that the representative distinguished between Visa members and other stakeholders, making the former intended beneficiaries and the latter incidental beneficiaries, when he stated that members "might have benefits beyond the rules that apply to other stakeholders" because the latter are "not directly parties to these rules." (Id., pp. 100-01).
Next, Sovereign relies on certain Visa documents. It points to the August 1993 document, entitled "Retention of Magnetic-Stripe Data Prohibited," where Visa first stated an intention to prohibit the retention of magnetic-stripe data, to begin on September 1, 1993. The document stated the purpose of the prohibition was to "protect the Visa system and Issuers from the potential fraud exposure created by databases of magnetic-stripe information . . . ." (Doc. 58, Visa Dep., Ex. V-5, first page)(emphasis added).
Plaintiff also relies on the May 2003 on-line Visa document, entitled "Issuers and Acquirers Are At Risk When Magnetic-Stripe Data Is Stored." This document stated that CISP "was established to preclude a compromise that could lead to the duplication of valid magnetic-stripe data on counterfeit or altered cards," as such a data compromise "impacts Issuers, Acquirers, cardholder goodwill, and the integrity of the payment system." (Doc. 58, Ex. V-6, first page).
Upon review of the record bearing on Visa's intent (including portions not cited by Plaintiff), we must agree with Fifth Third that Visa did not intend Sovereign to be a third-party beneficiary of Visa's member agreement with Fifth Third. There are only two pieces of evidence that support Plaintiff's contention that Visa intended to benefit an issuer like Sovereign. There is the early document from August 1993, when Visa first started the ban on retention of magnetic-stripe data, and indicated it was intended to protect issuers as well as the Visa system. And there is the Visa representative's "core purpose" statement, that the core purpose of the Operating Regulations was to benefit the Visa payment system, and to an apparently equal degree, Visa members and other stakeholders.
But the latter statement is significantly weakened by the very mention of every entity that might have contact with the system, down to the generic "others who may participate in the system as well." Moreover, the Visa representative has also clearly indicated several times that the prohibition on retaining cardholder information was only intended to benefit the Visa system as a whole. He may state the obvious in many of his answers, that issuers as well as other entities or participants in the system benefit from the ban, but in context he plainly states that the ban is intended to protect the system, not individual entities that may be involved in it.
By way of brief review, he initially asserts that the purpose of the CISP program "is to maximize the value to the Visa system as a whole," and to do that the CISP program will provide "protection [to] any entity that may be involved in" cardholder information. At another point, he responds to a question about whether at least one "purpose," even if there were other purposes, for obligating the acquirer to ensure merchant compliance with the system was to protect issuers:
The part of your question I'm struggling with is to say whether that was the purpose or not. I think I summarized what the purpose was.
One of the entities that is impacted by the Cardholder Information Program is issuers, as well as acquirers, merchants and cardholders. So my understanding was the purpose was not directed at any one of those entities but to maximize the value of the system in protecting cardholder information for all of the participants. (Id., p. 37).
Later, in response to a question whether Visa had intended to give issuers the benefit of the acquirers' compliance with CISP, the Visa representative testified again:
Visa designed the CISP program to benefit the Visa system as a whole, to drive confidence in the integrity of the Visa system, to drive greater, greater efficiency, to drive cardholder security, and to do that from requirements that apply to all Visa members that designed ultimately to yield a more efficient system on behalf of all those participants. (Id., pp. 41-42).
In the face of this evidence of Visa's intent, we do not believe that the single August 1993 reference to benefitting issuers nor the ambiguous "core purpose" statement is sufficient evidence to lead a reasonable jury to find for Plaintiff on the contract claim.
We also disagree with Plaintiff's interpretation of other evidence that issuers were supposed to be intended beneficiaries of the member agreement between Visa and Fifth Third. Sovereign points to the May 2003 on-line Visa document, entitled "Issuers and Acquirers Are At Risk When Magnetic-Stripe Data Is Stored," but this document is only evidence of the reason for the prohibition, because a data compromise "impacts Issuers, Acquirers, cardholder goodwill, and the integrity of the payment system," (doc. 58, Ex. V-6, first page), not a statement of intent to benefit issuers.
Sovereign also asserts that the representative stated that it was an intended beneficiary because he testified that members "might have benefits beyond the rules that apply to other stakeholders" because the other stakeholders are not direct parties to the rules, (doc. 52, pp. 100-01), thereby creating a distinction between members as direct beneficiaries and other stakeholders as incidental beneficiaries. We do not believe this is a reasonable inference from the testimony. The representative only stated that members like Sovereign "might have benefits" beyond those enjoyed by other stakeholders. This is a simple statement of fact, given the role an issuer like Sovereign plays in the Visa System.
It cannot be disputed that Sovereign benefits from the prohibition on the retention of magnetic-stripe data. It is probably also true that as an issuer it has the greatest need for such a prohibition, and benefits the most from it, since its cardholders' information is at risk if a merchant or other entity retains such data so that it is subject to theft. But one essential part of the test for third-party-beneficiary status is that the promisee, here Visa, must have intended to benefit the third party. There is sufficient evidence on summary judgment to state that Visa had no such intent. In sum, as Fifth Third argues, Sovereign is at most an incidental beneficiary of the member agreement between Visa and Fifth Third, and an incidental beneficiary has no right to enforce a contract, Hill, supra, 36 Ohio St.3d at 42, 521 N.E.2d at 786; Burks v. Fed. Ins. Co., 883 A.2d 1086, 1087 (Pa. Super. 2005), no matter how great a stake it might have in doing so.*fn8
Since Plaintiff has failed to show that Visa intended to benefit it in its member agreement with Fifth Third, we need not address Fifth Third's remaining arguments against third-party-beneficiary status for Sovereign: (1) the Compliance Procedures, and Visa's enforcement of those procedures and imposition of fines, support denial of third-party-beneficiary status; (2) the existence of the Operating Regulations refutes any inference that Visa intended to create third-party-beneficiary rights under its membership contract; and (3) recognition of third-party contract rights would create havoc in the Visa System and threaten the integrity of the payment system.
Upon full consideration of the thorough and well- reasoned briefs submitted on the issue presented, we will enter summary judgment in favor of defendant Fifth Third on the contract claim, thus disposing of the last claim in the case. We have also concluded that oral argument would not assist the court in resolving this case. The joint request for oral argument will therefore be denied.
We will issue an appropriate order.
AND NOW, this 16th day of June, 2006, it is ordered that:
1. The joint request (doc. 53) for oral argument is denied.
2. Defendant Fifth Third's motion for reconsideration (doc. 18), treated as a motion for summary judgment, is granted.
3. Judgment is hereby entered in favor of defendant Fifth Third and against plaintiff Sovereign Bank on count IV of the amended complaint.
4. The Clerk of Court shall close this file.
William W. Caldwell United States District Judge