Wawa, the Delaware County-based convenience store and gas station chain, paid $10.7 million last year linked to a 2019 breach of its customer payment security systems.
But now it wants that money back — and more. On Monday in federal court in New York, Wawa sued Mastercard, the giant payment-card network, and demanded that it be paid triple damages, under antifraud laws.
That makes the store chain the latest retailer suing Mastercard for a refund of what Wawa calls unlawful penalties that have already been paid under what it says are unfair business practices. Mastercard didn’t respond to requests for comment.
In its suit, Wawa said it paid the money under “duress” to its credit card bank, Bank of America, which forwarded the money to Mastercard, under penalty practices that Wawa now says violate Mastercard’s own standards for customer-related disputes, as well as “basic principles of fairness, equity and good conscience.”
Wawa admits in its lawsuit that it took years to install chip readers on its gas pumps to replace old-fashioned and easier-to-hack magnetic-stripe card readers. The company blames “circumstances beyond its control” that delayed the necessary software and hardware installation.
The chip reader installations were completed by March 2020, Wawa said, four months after it discovered that hackers had been collecting information on card users for much of 2019. According to Wawa, Mastercard could have measured any actual expenses resulting from the hack and “to the penny, to the extent they incurred any such losses at all,” and demanded appropriate reimbursement.
According to Wawa’s lawsuit, Mastercard claimed more than five million of its cardholders were impacted by the breach and levied a $17.8 million penalty against Bank of America, which Mastercard later agreed to reduce to $10.7 million. Bank of America, like many banks that issue cards, is part of the Mastercard network. Wawa agreed to front the money to Bank of America, and so gained the right to try to get it back from Mastercard.
Wawa accused Mastercard of imposing an “unfair” penalty per account, even if customer accounts suffered no actual losses or expenses, violating Mastercard’s own standards. Wawa didn’t say in the lawsuit how much the breach ended up costing in actual expenses. The company last year agreed to pay up to $9 million, in cash or gift cards, to consumers whose data were compromised.
Under Mastercard’s own standards, at least 30,000 customers had to suffer “actual theft of the account number,” and the merchant’s bank — in this case, Bank of America — must have violated Mastercard security rules, for the penalties it assessed to apply, Wawa said in its lawsuit.
But Wawa says Bank of America actually complied with Mastercard rules and should not have been assessed such a high penalty.
Wawa isn’t the first to make such claims. In March 2016, a group of Florida retailers led by B&R Markets sued Mastercard and the other major credit card networks — Visa, American Express, and Discover — in federal court in California, alleging that they conspired with banks “to shift billions of dollars in liability for fraudulent, faulty and otherwise rejected consumer credit card transactions” to merchants that had not yet installed computer-chip readers by the card networks’ deadline of Oct. 1, 2015.
Mastercard and the other systems denied wrongdoing, but the case has advanced through the courts and is currently awaiting trial in federal court in New York — as a class action, with merchants seeking more than $1 billion in damages. Mastercard denies wrongdoing. In its annual report, the company told investors it expects the court will review proposals from both sides for summary judgment later this year.