Class Action Alleges Banc of America Merchant Services Charged Unauthorized Data Security Fees

A proposed class action claims Banc of America Merchant Services, LLC (BAMS) and successor Fiserv, Inc. have charged merchants excessive fees not permitted by their contracts.

Filed July 27 in California’s Central District Court, the 20-page case more specifically alleges the companies have assessed both a monthly $19.95 “Clover Security Plus” fee to ensure customers’ business transactions were compliant with applicable security standards and a monthly $20 “Non Receipt of PCI validation fee” for non-compliance with the same security benchmarks.

Neither fee is permitted under the terms of merchants’ contracts with the defendants, according to the lawsuit. The suit claims many other small business customers such as the plaintiff, a San Bernardino County, California mobile spa, have been charged the same unauthorized costs and thus incurred “hundreds of dollars in onerous illegal monthly fees.”

Banc of America Merchant Services (BAMS), a joint venture between Bank of America and First Data, now Fiserv, offers merchant services that allow businesses to process customers’ credit and debit card payments, the lawsuit explains. As part of their services, the defendants provide a Clover point-of-sale credit and debit card reader with which merchants can accept payment through cards, checks and mobile wallets, the suit relays. Importantly, the defendants require every merchant customer to be compliant with PCI data security standards (PCIDSS), a set of rules developed by credit card companies with the intent to protect cardholder data from security breaches, according to the complaint.

BAMS’ merchant processing application and agreement requires merchant customers to submit validation of their PCIDSS compliance each year by August 1 or pay a $40 annual non-compliance fee, the lawsuit relays. The suit claims, however, that the defendants have instead charged a monthly $20 fee for each month after a merchant has failed to submit validation. The case contends that this monthly fee “serves no other purpose but to line Defendants’ pockets” and was never authorized by merchants’ contracts, which allow for only an annual $40 fee.

According to the suit, the unauthorized non-compliance fee is especially egregious given the defendants also charge an impermissible $19.95 “Clover Security Plus” fee for a security feature that purportedly “[r]educe[s] risk and liability from potential breaches while maintaining Payment Card Industry (PCI) compliance.” The lawsuit argues that the fee “does nothing of the sort” and fails to prevent merchants from being charged the non-compliance fee.

Despite their emphasis on maintaining data security, the defendants, the lawsuit goes on to allege, have provided “little to no guidance” on how to validate PCIDSS compliance.

“Instead, merchants—many of whom are small business proprietors like Plaintiff—are left confused by the PCIDSS validation process, which is a multi-step process that includes a lengthy questionnaire riddled with technological terms of art,” the complaint attests.

The plaintiff says her monthly merchant statements contained “no direction whatsoever” about how to become PCI compliant. Given the complex PCIDSS validation process and the defendants’ apparent lack of direction regarding PCI compliance, “it is clear that Defendants would rather profit off their plain breach of their contracts with their merchant customers than guide them to validating PCIDSS compliance,” the lawsuit scathes.

The defendants’ conduct, the suit says, is even more egregious in light of recent allegations that BAMS itself is not PCI-compliant. Cited in the complaint is a whisleblower lawsuit in which BAMS was accused of mishandling a certain type of customer data and misrepresenting its PCI-compliance. The proposed class action says a BAMS executive responded to the whistleblower’s concerns by remarking that becoming PCIDSS-compliant with respect to this type of customer data was “very costly and time consuming.”

The plaintiff, who first became a BAMS merchant customer in 2013, claims to have been charged at least $918 in unauthorized non-receipt and Clover Security Plus fees by the defendants.

The lawsuit looks to represent all merchant service customers who were charged a monthly PCI non-receipt fee and/or Clover Security Plus fee within the applicable statute of limitations period.

Leave a Reply

Your email address will not be published. Required fields are marked *