United States District Court, D. Maryland
RICHARD D. BENNETT, District Judge.
The origins of this contentious case lie in a soured business relationship and the settlement of earlier litigation in the United States District Court for the District of Utah. In this action, Plaintiffs First Data Merchant Services Corporation ("FDMS") and First Data Corporation ("FDC") (collectively "First Data") assert claims against Defendant SecurityMetrics, Inc. ("SecurityMetrics") relating to SecurityMetrics' alleged post-settlement misconduct. SecurityMetrics subsequently asserted fifteen counterclaims sounding in various doctrines of contract, trademark, and antitrust law. Currently pending before this Court are First Data's Motion for Summary Judgment as to Certain of SecurityMetrics' Counterclaims (ECF No. 272), SecurityMetrics' Motion for Partial Summary Judgment on Contract Claims and Counterclaims (ECF No. 275), First Data's Cross-Motion for Summary Judgment as to First Counterclaim (ECF No. 294), and SecurityMetrics' Motion for Partial Summary Judgment on Common Law Tort and Lanham Act Claims (Counts III-VIII) (ECF No. 277). The parties' submissions have been reviewed, and a hearing was held on December 12, 2014. For the reasons that follow, First Data's Motion for Summary Judgment as to Certain of SecurityMetrics' Counterclaims (ECF No. 272) is GRANTED. SecurityMetrics' Motion for Partial Summary Judgment on Contract Claims and Counterclaims (ECF No. 275) is DENIED and First Data's Cross-Motion for Summary Judgment as to First Counterclaim (ECF No. 294) is GRANTED. Additionally, SecurityMetrics' Motion for Partial Summary Judgment on Common Law Tort and Lanham Act Claims (Counts III-VIII) (ECF No. 277) is DENIED AS MOOT with respect to First Data's Lanham Act claims and DENIED with respect to First Data's tortious interference claim.
Accordingly, the parties are now primed for trial,  which is scheduled to begin January 12, 2015. With respect to First Data's claims, the following counts remain: declaratory relief (Counts 1 & 9), breach of contract (Count 2), and tortious interference (Count 4). With respect to SecurityMetrics' counterclaims, the following counts remain: declaratory judgment with respect to the third paragraph of the Terms of Settlement (Count 2), and declaratory judgment with respect to the fifth paragraph of the Terms of Settlement (Count 3).
In ruling on a motion for summary judgment, this Court reviews the facts and all reasonable inferences in the light most favorable to the nonmoving party. Scott v. Harris, 550 U.S. 372, 378 (2007); see also Hardwick ex rel. Hardwick v. Heyward, 711 F.3d 426, 433 (4th Cir. 2013).
A. The Payment Card Industry
In the payment card industry, there are a few main types of service providers. An "issuer" issues a payment card to a consumer and bills and collects amounts due from the consumer. The other main service is provided on the merchant side; when a consumer attempts to pay a merchant for goods or services with a payment card, an "acquirer" obtains authorization for the transaction from the consumer's issuer and then clears and settles the transaction so that the merchant gets paid and the consumer's account gets charged. Acquirers perform the underwriting requirements and take on the financial risks of fraud. In addition, some payment card brands or associations operate in open networks that allow separate entities or banks to operate as issuers and acquirers; in such open networks, "processors" help to facilitate the communication and settlement of payment. FDMS is an acquirer, while FDC is the payment processor for FDMS's transactions. First Data asserts that it processes transactions for over two million "Level 4" merchants,  while SecurityMetrics asserts that the number is closer to 2.6 million. In some cases, pursuant to a contract, First Data stands in the shoes of other acquirers and deals with the acquirers' merchants directly; in those cases, First Data undertakes the underwriting and risk management responsibilities and is liable for losses or fines incurred by the Acquirer. First Data performs acquirer services from approximately 820, 000.
The term "PCI" is as an acronym for "Payment Card Industry." The PCI Security Standards Council ("PCI Council") was formed in 2006 by the major credit card brands. The PCI Council developed the PCI Data Security Standard ("PCI Standard" or "PCI DSS"), which has been adopted by the major credit card brands as their data security compliance requirement for all merchants. Thus, the card brands enforce compliance with the PCI Standard and determine the penalties for non-compliance. While the PCI Standard's requirements vary based upon the size of a merchant, the category of merchants at issue in this case are "Level 4 merchants." Level 4 merchants are more numerous than higher-volume merchants and, as such, have the highest number of transactions collectively.
While the PCI standard is universal, the various Card Brands have different requirements for demonstrating or validating compliance with the standard. The category at issue in this case are "Level 4 merchants"-those merchants with the lowest transaction volume. Level 4 merchants are more numerous than higher-volume merchants and, as such, have the most collective transactions. For these lower-volume merchants, the PCI Council provides the Self-Assessment Questionnaire ("SAQ"). The SAQ is a validation tool intended to assist merchants in self-evaluating their compliance with the PCI Standard. For those Level 4 merchants who conduct sales over the internet, however, the PCI Data Security Standard requires vulnerability scans of its computer system. These scans must be performed by Approved Scanning Vendors ("ASV"), which are approved by the PCI Council. SecurityMetrics is certified by the PCI Council as an ASV, but First Data is not.
B. The Relationship of the Parties
First Data is a global payment processor engaged in the business of processing credit and debit card transactions for merchants and independent sales organizations ("ISOs") who use First Data's card processing services. SecurityMetrics provided compliance services to some merchants for whom First Data provides processing services. For those merchants that First Data provides acquirer services (some 820, 000 merchants), First Data has instituted a PCI Standard compliance reporting program.
For several years, the parties worked together pursuant to a series of contracts. Under those agreements, "First Data promoted SecurityMetrics to its Level 4 merchant customers as its preferred vendor for services relating to validation of compliance with PCI Standards, and SecurityMetrics developed and utilized a protocol for reporting validation of compliance through what is known as the "START" system. START is not an industry standard and it is not prescribed by the PCI Council." Under the terms of the agreement, First Data paid SecurityMetrics for each merchant that was enrolled (usually for a 1 year service period), and SecurityMetrics would report the compliance status of all its enrolled merchants to First Data on a monthly basis. The agreement was last renewed on January 3, 2012. SecurityMetrics alleges, however, that First Data materially breached the agreement in April 2012 and then unilaterally and prematurely terminated it in May 2012. Since that point, SecurityMetrics ceased SMART reporting and began to send emails containing links to PDF reports of compliance.
In June of 2012, First Data began offering a service called "PCI Rapid Comply, " which competes with the services offered by SecurityMetrics. First Data asserts that PCI Rapid Comply is only available to those Level 4 merchants for whom First Data supplies acquirer services-some 820, 000 merchants. First Data also alleges that only 200, 000 merchants have actually used PCI Rapid Comply to report their PCI Standard compliance.
SecurityMetrics alleges various unfair practices on First Data's part in connection to the roll-out of PCI Rapid Comply. First Data imposes billing minimums on ISOs using First Data for acquirer services, and SecurityMetrics alleges that, when calculating these minimums, First Data counts fees for PCI Rapid Comply towards the required minimums, but refuses to count costs or fees paid to vendors of other PCI compliance services. In addition, SecurityMetrics asserts that First Data represented that merchants who used compliance verification vendors other than PCI Rapid Comply would have to pay for those services in addition to the cost of PCI Rapid Comply.
In May of 2012, FDMS filed suit in First Data Merchant Services Corporation v. SecurityMetrics, Inc., Case No. 2:12-cv-495 ("Utah Action") in the United States District Court for the District of Utah ("Utah Court") and moved for a temporary restraining order and preliminary injunction requiring SecurityMetrics to resume START reporting. The Utah Court denied the motion, and the parties entered mediation, which resulted in the signing of Terms of Settlement ("Settlement Terms") by both parties. Under those terms, First Data proffered a payment of five million dollars.
C. The Presently Pending Action
On August 27, 2012-less than three months after the signing of the Terms of
Settlement-First Data filed the presently pending action before this Court. Following a stay of this action pending final disposition of the Utah Action and the subsequent denial of FDMS's Preliminary Injunction Motion filed before this Court, FDMS was permitted to amend its Complaint (ECF No. 91). As a result, First Data filed the Amended Complaint (ECF No. 92) on March 8, 2013, which asserted the following claims:
1) Declaratory relief (Count 1)
2) Breach of contract (Count 2)
3) Common Law Unfair Competition (Count 3)
4) Tortious Interference with Existing and Prospective Contractual and Business Relationships (Count 4)
5) Injurious Falsehoods (Count 5)
6) False Endorsement/Association, Lanham Act 15 U.S.C. § 1125(a)(1)(A) (Count 6)
7) Trademark/Service Mark/Trade Name Infringement, Lanham Act, 15 U.S.C. §§ 1114(1), 1125(a)(1)(A) (Count 7)
8) False Advertising, Lanham Act, 15 U.S.C. 1125(a)(1)(B) (Count 8)
9) Declaratory Relief (Count 9)
SecurityMetrics answered the Complaint on August 26, 2013 and asserted fifteen counterclaims of its own against First Data, including claims for:
1) Specific performance of the first paragraph of the Terms of Settlement (Obligation to Enter Long-Form Settlement) (Count 1)
2) Declaratory judgment with respect to third paragraph of the Terms of Settlement (Merchant Data provision) (Count 2)
3) Declaratory judgment with respect to fifth paragraph of the Terms of Settlement (Unenforceability of Confidentiality Term) (Count 3)
4) Injurious falsehoods (Count 4),
5) Federal false advertising (Count 5),
6) Federal false endorsement (Count 6),
7) Cancellation of registration (Count 7),
8) Utah Deceptive Trade Practices violations (Count 8),
9) Tortious interference (Count 9),
10) Federal restraint of trade (Count 10),
11) Federal monopolization and attempted monopolization (Count 11),
12) Maryland Restraint of Trade (Count 12)
13) Maryland monopolization and attempted monopolization (Count 13)
14) Maryland predatory pricing ...