BankTechCybersecurity

Scoop: Lawsuit against BAMS alleges deliberate non-compliance with PCI rules

Recent ruling moves case forward, opening the door for "successor corporations" liability

FinLedger has learned about a whistleblower lawsuit filed against Bank of America Merchant Services (BAMS) by a former vice president operations control officer of the company.

In a complaint filed under a series of acts – including Dodd-Frank, Sarbanes-Oxley and the Consumer Finance Protection Act – in September 2019, Eric Slawin alleges that he was unfairly terminated after he objected to what he described as BAMS’ strategy “of misleading its customers to believe that it was PCI-compliant when it was not.” Those customers include the likes of huge retailers such as Target, Amazon and Home Depot.

Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry. Being non-PCI compliant can result in hefty fines and penalties by major credit card companies, among other negative consequences such as potential data breaches, risk of legal action and bad publicity. Clients of non- PCI compliant vendors could also seek to recover damages from any negative consequences of the mishandled data.

In the complaint, Slawin also alleges that BAMS retaliated against him when he objected to participating in what he described as “BAMS fraud on its customers and the SEC.”

Bank of America Merchant Services (BAMS) is a joint venture between Bank of America and First Data Corp. (recently acquired by Fiserv) that is in the process of being dissolved. While the joint venture will soon no longer be operational, the company’s customers will potentially be served by Bank of America and Fiserv through at least June 2023

Despite the unwinding of the joint venture, problems linked to the entity still linger in the form of a legal dispute. Before we get to recent developments, we’ll first provide some context.

The backstory

According to the 2019 filing, Slawin’s complaint was originally filed with OSHA on Dec. 12, 2017, the same day that he was terminated. It was amended on April 27, 2018, and re-filed. Subsequently, OSHA administratively closed its file to give Slawin the chance to pursue his action in federal court. 

According to Slawin’s attorneys – Robert N. Marx and Jean Simonoff Marx of Atlanta-based Marx & Marx L.L.C. – the former BAMS employee was concerned when he observed non-PCI-compliance with regard to PAN data. PAN data refers to primary account number data on consumers’ credit and debit cards and is contained within information that is stored and/or transmitted by BAMS.

BAMS was the “face” of the business, and handled sales and leasing of point-of-sale equipment to merchants, as well as customer service, while First Data processed the transactions in the back end.

According to the 2019 complaint filing:

“During May and throughout the summer of 2017, there were email exchanges including among the highest level of BAMS’ executives regarding the magnitude of the PCI non-compliance issue given the large volume of PAN data that BAMS handled. These emails also reflect the decision among BAMS’ management that it was too costly for BAMS to become PCI-compliant, and therefore that it would not become PCI compliant.”

Around July 2017, Joseph Moll – vice president corporate information security officer, risk and compliance at Bank of America Merchant Services – described thousands of instances in which “PAN data was being mishandled by BAMS,” according to the lawsuit. 

Moll also noted that those numbers “only reflected instances of emailing PAN data and did not include all instances in which PAN data was stored, processed or otherwise transmitted,” according to the 2019 complaint.

The complaint further alleges that around June 2017, Bank of America Merchant Services Executive Vice President and Head of Sales David Ades – who reported directly to CEO Tim Tynan – sent out an email that corroborated his conversations with other senior BAMS executives regarding non-PCI compliance.

According to the lawsuit, Ades in that email confirmed that BAMS used full PAN data and that BAMS was not PCI-compliant. He allegedly also wrote that BAMS did not want to become PCI-compliant because it was a “very costly and time consuming” process.

The complaint also alleges that emails among BAMS’ top executives show the C-Suite was involved in the discussions regarding BAMS’ non-PCI compliance. Other emails similarly showed that executives discussed how to deflect questions and handle communication to customers regarding data security without BAMS becoming PCI-compliant, per the suit.

In the complaint, Slawin alleges that he voiced his discomfort with the noncompliance to his immediate superiors and other BAMS senior executives. Predicated on his concern, it was Slawin’s refusal to cover up evidence of the non-compliance – in the form of email correspondence on which he was copied – that allegedly ultimately led to his dismissal.

One of the biggest issues relates to the relationship within which BAMS was interfacing with its customers, which included companies and municipalities, according to attorney Jean Simonoff Marx.

“BAMS did the actual processing of chargebacks and allegedly, a lot of data was communicated in unsecured emails, some of it primary account data,” Ms. Marx said. “They knew this..but from BAMS’ point of view, they didn’t want to lose the customer. They were really trying to deflect the issue of whether they were PCI or non-PCI compliant. They knew they were not. And they decided not to become PCI-compliant. It was our client’s position that they were misleading customers and creating all kinds of exposure rather than becoming compliant.”

Mr. Marx added: “It was not a matter of negligence. They knew it was too much money, time and effort to become PCI-compliant.” As such, there were likely “thousands of violations” that took place.

Recent developments

Fast forward to today – in case you’re wondering why we’re covering the news now if the lawsuit was filed last year. Earlier this year, the four defendants – BAMS, Bank of America, Fiserv and First Data – requested to have the case dismissed against all parties except for BAMS. 

On Sept. 30, 2020, the District Court in Atlanta ruled on that motion.  The Georgia District Court dismissed the whistleblower complaint under the Dodd-Frank Wall Street Reform and Consumer Protection Act against BAMS. (A National Law Review article published on Oct. 26, 2020, covers that dismissal but does not go into the issues of PCI non-compliance).

But BAMS did not move to dismiss the complaint under Sarbanes-Oxley. The District Court also denied BAMS’ motion to dismiss under the Consumer Financial Protection Act of 2019. This means that there are two claims still proceeding in the litigation against BAMS: one under Sarbanes-Oxley and a separate claim under the Consumer Financial Protection Act. 

While Slawin’s claims against Bank of America and Fiserv were dismissed by the District Court under the whistleblower statutes, the District Court invited Slawin’s attorneys to file a motion to include Bank of America and Fiserv as “successor corporations” to pay any judgment.

The case has moved to discovery and the attorneys will start pretrial proceedings, including taking depositions.

Slawin’s attorneys in this suit are seeking “appropriate damages” allowable under statutes. As for the security violations, the government will have to deal with BAMS separately – a matter that is currently being addressed by the SEC within the context of a Dodd-Frank investigation.

FinLedger reached out to Bank of America and Fiserv for comment but had not received any response at the time of publication. We also reached out to Bank of America Merchant Services’ lead attorney. 

Charles Edward Solley, an attorney for Bank of America, who is “familiar with the case” said he was not authorized to comment.

The U.S. Securities and Exchange Commission also declined comment.

Latest Articles

Content from our partners

Log In

Forgot Password?

Don't have an account? Please

Register

Forgot Password

Please enter your registered email address below to receive a password reset link.

Check Your Email

A password reset email has been sent to the email address on file for your account, but may take several minutes to show up in your inbox. Please wait at least 10 minutes before attempting another reset.

Welcome to FinAssist

Go to your inbox and open 'Welcome to FinAssist, your company discovery platform' to get started. You may also skip your inbox and 'Start tutorial'.