In the
Court of Appeals
Second Appellate District of Texas
at Fort Worth
___________________________
No. 02-20-00339-CV
___________________________
VISA INC., Appellant
V.
SALLY BEAUTY HOLDINGS, INC., Appellee
On Appeal from the 158th District Court
Denton County, Texas
Trial Court No. 19-6924-158
Before Sudderth, C.J.; Wallach and Walker, JJ.
Opinion by Chief Justice Sudderth
� OPINION
Given how routine credit-card transactions have become, the average card-
carrying American could easily overlook the complex system that makes such
transactions possible. One key component of that complex system is its contractual
structure, which indirectly links merchants like Appellee Sally Beauty Holdings, Inc. to
the network of transactional services provided by companies like Appellant Visa, Inc.
The enforceability of certain terms within this contractual structure, as well as the
security-related representations made by merchants participating in the Visa network,
are at the center of this data-breach case.
After Sally Beauty’s allegedly sub-par network security enabled a credit-card
network hack—Sally Beauty’s second in just over a year—Visa assessed approximately
$14 million in liquidated damages against the company that linked Sally Beauty to the
Visa network: Fifth Third Bank. Fifth Third passed the $14 million assessment on to
Sally Beauty and assigned the merchant its claims against Visa. Sally Beauty sued,
arguing that Visa had breached its contract with Fifth Third by collecting the $14
million assessment because the liquidated damages provision was an unenforceable
penalty under California law. Visa countersued for fraud1 alleging that, in the fourteen
months between Sally Beauty’s two hacks, Sally Beauty fraudulently misrepresented its
Visa also countersued for negligence, but it does not appeal the trial court’s
1
adverse summary judgment on its negligence counterclaim.
2
�compliance with network security protocols as well as its intent to remain in
compliance.
The parties filed competing motions for summary judgment, and the trial court
granted Sally Beauty’s motions on both Sally Beauty’s contract claim and Visa’s fraud
counterclaim. The court found that (1) the liquidated damages provision underlying
the $14 million assessment was unenforceable under California law, and (2) Visa not
only lacked standing to assert fraud but also failed to state a cognizable fraud claim
under Texas law.2
We disagree on both counts. First, because the liquidated damages provision is
presumed valid under California law and because none of Sally Beauty’s arguments
invalidate it, we will reverse the trial court’s breach of contract judgment and hold that
the liquidated damages provision is enforceable. And second, because Visa has
standing to raise a fraud claim, because Sally Beauty sought dismissal of the fraud
claim on the pleadings, and because we take Visa’s pleadings as true and construe
them in its favor, we will reverse the trial court’s fraud judgment and hold that Visa
stated a cognizable claim for fraud under Texas law. With both summary judgments
reversed, we will remand the case for further proceedings.
2
The fraud findings stated above are implied; the trial court indicated the basis
for its breach of contract judgment, but it did not indicate the basis for its judgment
on Visa’s fraud counterclaim. See Provident Life & Acc. Ins. Co. v. Knott, 128 S.W.3d
211, 216 (Tex. 2003) (“Because the trial court’s order does not specify the grounds for
its summary judgment, we must affirm the summary judgment if any of the theories
presented to the trial court and preserved for appellate review are meritorious.”).
3
� I. Background
Visa’s credit-card network involves multiple layers of contracts.
A. Network and Contractual Framework
Generally, when a customer uses his Visa card at one of Sally Beauty’s beauty-
supply stores, (1) a point-of-sale system at Sally Beauty sends the card information to
Sally Beauty’s acquiring bank, Fifth Third; (2) Fifth Third transmits the information
via Visa’s network to the bank that issued the customer’s credit card; (3) the card-
issuing bank authorizes the transaction; and (4) the authorization message is sent back
through the Visa network to Sally Beauty to complete the transaction.3 Visa has
contracts with the card-issuing banks and with the acquiring banks (such as Fifth
Third), while the acquiring banks have contracts with the individual merchants (such
as Sally Beauty). Otherwise, the system participants do not have contracts with one
another. Consequently, Visa has established a set of rules to govern the system: the
Visa Core Rules.
The Visa Core Rules are incorporated into Visa’s contracts with issuers and
acquirers, and the acquirers in turn incorporate the Visa Core Rules into their
contracts with merchants. The Visa Core Rules establish, among other things,
(1) security requirements for network participants, (2) an investigation procedure for
3
See Landry’s, Inc. v. Ins. Co. of Pa., 4 F.4th 366, 367 (5th Cir. 2021) (describing
parallel system).
4
�data hacks, and (3) a system of liquidated damages known as the Global
Compromised Account Recovery (GCAR) program.
1. Security Requirements
First, the Visa Core Rules protect network security by requiring acquirers to
ensure that any merchant the acquirer connects to the Visa network complies with
industry-wide security protocols known as the Payment Card Industry Data Security
Standards (PCI DSS).4 Merchants whose Visa transactions exceed a certain threshold
are required to undergo an annual security evaluation to ensure ongoing PCI DSS
compliance. Sally Beauty was one such merchant.
This annual evaluation is generally conducted by a qualified security assessor
(QSA),5 who validates the merchant’s compliance with more than 200 PCI DSS
requirements.6 The QSA then completes a three-page summary of these findings,
grouping the numerous tested requirements into 12 broad categories, such as
“[i]nstall[ing] and maintain[ing] a firewall configuration to protect cardholder data”
4
The PCI DSS were adopted and are maintained by the Payment Card Industry
Security Standards Council, LLC.
5
“Independent security organizations qualified by [the Payment Card Industry
Security Standards Council] to validate an entity’s adherence to PCI DSS requirements
are referred to as ‘Qualified Security Assessor Companies.’” Individuals employed by
these companies as QSAs are required to complete an additional qualification process
to conduct PCI DSS validation tests.
6
The QSA’s evaluation procedure includes more than 300 tests.
5
�and “[p]rotect[ing] stored cardholder data.”7 The QSA marks the appropriate
checkbox on the summary sheet to indicate the merchant’s compliance or
noncompliance with each of these 12 categories.8 Both the QSA and the merchant
then sign the summary sheet, affirming, among other things, that,
• [a]ll information within the above-referenced [report] and in this
attestation [i.e., summary sheet] fairly represents the results of the
assessment in all material respects[;]
• [t]he merchant has confirmed with the payment application
vendor that [its] payment application does not store sensitive
authentication data after authorization[; and]
• [t]he merchant has read the PCI DSS and recognizes that [it] must
maintain full PCI DSS compliance at all times.
The Visa Core Rules provide that this signed summary, known as an attestation of
compliance (AOC), must be included with the QSA’s report and submitted to the
merchant’s acquirer and, ultimately, to Visa.
2. Investigation Procedures
The PCI DSS protocols are merely one feature of the Visa Core Rules. The
second relevant feature is the investigation procedures.
In the event of a network hack, the Visa Core Rules require the hacked
merchant, upon request, to hire an independent PCI DSS forensic investigator to
7
Rather than hiring a QSA, a merchant may elect to have its internal audit department
complete the evaluation.
8
If the merchant is noncompliant, the checklist provides a field for the QSA or
merchant to indicate “the date [the company] will be compliant with the requirement
and a brief description of the actions being taken to meet the requirement.”
6
�investigate the hack. The investigator follows an industry-wide PCI DSS procedure to
determine, among other things, the number of customers whose financial information
was exposed to the risk of unauthorized disclosure and to determine whether the
hacked merchant was compliant with PCI DSS protocols at the time of the hack. If,
based on this report, Visa determines that the hacked merchant was not in compliance
with PCI DSS protocols,9 if such noncompliance could have facilitated the hack, if
certain cardholder data is put at risk, if Visa has to send a certain number of breach-
related issuer alerts, and if the estimated issuer expenses resulting from the hack
exceed a specified threshold, then the third relevant feature of the Visa Core Rules
kicks in: the GCAR program.
3. GCAR Program
The GCAR program effectively allows issuers to recover for expenses caused
by merchant hacks, despite the lack of privity between issuers and merchants.
Generally, if a hack qualifies for the GCAR program, Visa calculates and imposes a
liquidated assessment against the acquirer that provided the hacked merchant with
access to the Visa network.10 The acquirer, in turn, generally passes the assessment on
9
The Visa Core Rules give Visa the discretion to treat the investigator’s report
as merely “one source of information” in the GCAR analysis. But in this case, Visa
relied on the investigator’s final report.
10
The Visa Core Rules also provide an appeal review process that allows
acquirers to appeal the GCAR assessment within 30 days.
7
�to the hacked merchant.11 Then, after Visa collects the liquidated damages, Visa
distributes the funds to the affected issuers.
Two elements comprise the GCAR’s liquidated damages formula:
(1) incremental counterfeit fraud liability, and (2) issuer operating-expense recovery.
The incremental-counterfeit-fraud-liability portion is calculated based on the number
of at-risk Visa customers and the amount of marginal fraud observed on their
accounts. The issuer operating-expense recovery, in turn, is calculated by multiplying
a specified operating-expense amount by the number of eligible at-risk customer
accounts.12 As the sum of these two elements, the GCAR assessment is intended to
estimate and reimburse a portion of the issuers’ hack-specific fraud-related expenses,
such as increased account monitoring, card replacement, and customer
reimbursements for fraudulent charges.13 At the same time, the GCAR program
Whether a hacked merchant is required to indemnify its acquiring bank for a
11
GCAR assessment is determined by the terms of the merchant–acquirer contract, not
the Visa Core Rules.
The specified operating-expense amount ranges from approximately $2.50 to
12
$7.00.
13
“Card-issuing banks and credit unions are required by federal law to
indemnify their card-holding customers for losses from fraudulent activity,
so . . . [these banks] bore the costs of reissuing cards and indemnifying the [merchant]
hackers’ fraud.” Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 807 (7th
Cir. 2018) (first citing 15 U.S.C. § 1643(a); and then citing 12 C.F.R. § 205.6).
8
�limits Visa’s contractual obligation to reimburse the issuers, and it limits the acquirer’s
corresponding liability to Visa for issuer reimbursements.14
B. Sally Beauty’s Case
The current case involves a dispute over Visa’s GCAR program. In 2015, Sally
Beauty’s payment system was hacked—for the second time in just over one year—
putting Visa’s customers’ data at risk. Visa required Sally Beauty to investigate the
hack, and the PCI DSS investigator determined that Sally Beauty had not complied
with certain PCI DSS protocols and that this noncompliance allowed third parties to
hack Sally Beauty’s system. Because Fifth Third was providing Sally Beauty with
access to Visa’s network, Visa relied on the investigator’s report to impose a GCAR
14
For example, the GCAR program limits the relevant time frame for
reimbursable fraud to a specified “fraud window”; it caps the acquirer’s liability to
Visa based on a predefined percentage of the acquirer’s gross annual purchase
volume; it excludes consideration of certain fraudulent charges, such as fraud in
excess of $3,000 per customer account; it offers acquirers a “safe harbor” from
GCAR liability based on installation of chip-enabled point-of-sale terminals; and it
conditions Visa’s liability to issuers on Visa’s successful imposition and collection of
the GCAR assessment. As to the final limitation—Visa’s conditional liability—the
GCAR program provides,
Visa is not responsible to fund any recovery amounts under any
circumstances. Any issuer recoveries are limited to the amount, if any,
that Visa collects from the Compromised Entity’s acquirer(s). If Visa
concludes it is unable or not in the best interests of the Visa system as a
whole to assess or collect an assessment under GCAR for any reason,
issuers shall have no right to any GCAR recovery amounts. If the
amount collected by Visa is lower than the full assessment amount, Visa
will proportionally adjust all issuer recoveries, if any. Visa is not
obligated to exercise its discretion to reduce any assessment.
9
�assessment of $14.29 million against Fifth Third.15 Fifth Third passed the GCAR
assessment on to Sally Beauty, and Sally Beauty paid Fifth Third in exchange for an
assignment of Fifth Third’s claims against Visa.
Sally Beauty then sued Visa for breach of contract, along with five other causes
of action.16 In its breach of contract claim, Sally Beauty argued that Visa had
breached its contract with Fifth Third in four different, independently sufficient
ways,17 including by imposing the GCAR assessment. Sally Beauty alleged that Visa’s
imposition of this GCAR assessment was a breach because the Visa Core Rules’s
liquidated damages provision was an unenforceable penalty. Visa counterclaimed for,
15
The precise amount of the assessment was $14,294,740.36.
16
Sally Beauty raised six causes of action. The first four were asserted as
assignee and subrogee of Fifth Third: (1) breach of contract; (2) breach of the implied
covenant of good faith and fair dealing; (3) in the alternative, “money had and
received or restitution/unjust enrichment”; and (4) unlawful, unfair, and fraudulent
business practices in violation of California Business and Professional Code Section
17200. [Capitalization altered.] Sally Beauty asserted its other two causes of action
directly against Visa: (1) “money had and received or restitution/unjust enrichment”;
and (2) unlawful, unfair and fraudulent business practices in violation of California
Business and Professional Code Section 17200. [Capitalization altered.]
17
The breach of contract portion of Sally Beauty’s live petition stated four
different breaches; it alleged that (1) for at least three different, independently
sufficient reasons, “[t]he GCAR Liability Assessment was not authorized by the Visa
Rules,” i.e., Visa failed to follow the Visa Core Rules in its calculation and imposition
of the GCAR assessment; and (2) “[t]he GCAR Liability Assessment, even if it was
authorized by the Visa [Core] Rules . . . , is unenforceable under applicable law
because it constitutes a contractual penalty.”
10
�among other things, fraud.18 Specifically, Visa alleged that in October 2014—between
Sally Beauty’s first and second hacks—Sally Beauty underwent a QSA evaluation and
affirmed its compliance with PCI DSS protocols in a written attestation. Visa argued
that this attestation—the standard AOC discussed above—intentionally or recklessly
misrepresented Sally Beauty’s then-current compliance status as well as the merchant’s
intent to remain in compliance, and Visa alleged that it had relied on this attestation to
its detriment.
Before discovery even began, both parties moved for summary judgment. Sally
Beauty moved for summary judgment on its breach of contract claim, and it agreed to
waive its other claims if the trial court granted its motion. It also sought summary
judgment dismissing Visa’s counterclaims on the pleadings.19
Visa, in turn, moved for partial summary judgment on Sally Beauty’s
affirmative claims.20 Regarding the breach of contract claim in particular, Visa
Visa also counterclaimed for negligence, and its counterclaim for fraud could
18
be read to encompass a third cause of action for fraudulent concealment. The trial
court disposed of all Visa’s counterclaims, but only the fraud claim is challenged on
appeal.
Even if the GCAR assessment is legally unenforceable, because the Visa Core
19
Rules authorize the GCAR assessment, it is unclear why the collection of this
assessment in accordance with the contract would constitute a breach of that contract.
But Visa does not make this argument.
Visa attached three exhibits to its summary judgment motion: (1) an excerpt
20
from the Visa Core Rules; (2) the PCI DSS investigator’s report regarding Sally
Beauty’s hack; and (3) a copy of Paymentech, LLC v. Landry’s Inc., No. H-18-1622, 2020
WL 1671075 (S.D. Tex. Feb. 10, 2020). Sally Beauty moved to strike the
11
�targeted the breach element and challenged the four breaches alleged in Sally Beauty’s
petition.21 The trial court granted summary judgment for Sally Beauty on its breach of
contract claim and on Visa’s counterclaims. Although the trial court did not specify
the basis for its judgment on Visa’s counterclaims, it elaborated on its breach of
contract judgment by expressly finding in Sally Beauty’s favor on each of Sally
Beauty’s three independently sufficient arguments: “(1) the damages Visa seeks to
recover are NOT valid liquidated damages; (2) the relevant contract provision was
unreasonable under the circumstances existing at the time the contract was made; and
(3) the terms of the GCAR Program itself along with the VISA Core Rules establish
[that] these [a]ssessments are not liquidated damages.” [Cleaned up.] See Tex. R. Civ.
P. 166a(a)–(c). The trial court ordered Visa to pay Sally Beauty $14.3 million in actual
damages, along with interest and court costs.22
investigator’s report. The trial court did not rule on the motion to strike before it
granted summary judgment.
21
Visa’s motion for partial summary judgment sought to negate Sally Beauty’s
four alleged breaches by conclusively disproving them with evidence or by arguing
that Sally Beauty had failed to state a claim.
22
The judgment ordered $14,344,740.36 in actual damages. It is not clear how
the trial court arrived at this figure from the $14,294,740.36 GCAR assessment. Nor
is it clear why the trial court’s resolution of the liquidated damages issue necessitated
Visa’s return of the full amount of the assessment. Generally, when a liquidated
damages provision is held to be an unenforceable penalty, the nonbreaching party
(here, Visa) may still recover its actual damages. See Ridgley v. Topa Thrift & Loan Ass’n,
953 P.2d 484, 488 (Cal. 1998). Sally Beauty’s motion for summary judgment did not
address the damages element of its breach of contract claim. But Visa did not raise
the issue before the trial court, and it does not raise it on appeal.
12
� Visa appeals.
II. Discussion
Visa challenges (1) the trial court’s summary judgment on Sally Beauty’s breach
of contract claim, i.e., its determination that the GCAR liquidated damages clause is
unenforceable; and (2) the trial court’s summary judgment on Visa’s fraud
counterclaim, i.e., its implied findings that Visa lacked standing and failed to state a
claim for fraud.
A. Contract Claim: Is the GCAR Liquidated Damages Clause Enforceable?
The parties agree that the GCAR assessment is a liquidated damages provision.
Thus, the first and most significant issue in this case is whether the liquidated damages
provision (the GCAR assessment) is enforceable or unenforceable. Visa argues that
the liquidated damages provision is presumed valid under California law and that
none of Sally Beauty’s arguments invalidate it. Sally Beauty argues that the provision
is not presumed valid and that, regardless, it is an unenforceable penalty because
(1) the provision compensates Visa for harm sustained by third parties (i.e., issuers);
(2) the provision does not extinguish Fifth Third’s liability for the breach; and (3) the
provision did not provide a reasonably certain estimate of damages because Visa
could unilaterally change the Visa Core Rules—including the liquidated damages
provision—at any time.
13
� 1. Standard of Review
The parties agree that California law governs Visa’s contract with Fifth Third.23
Therefore, we apply California law to the substantive questions. See HealthTronics, Inc.
v. Lisa Laser USA, Inc., 382 S.W.3d 567, 577 (Tex. App.—Austin 2012, no pet.). But
we apply Texas law to the procedural questions, including the standard of review. See
In re Lisa Laser USA, Inc., 310 S.W.3d 880, 883 n.2 (Tex. 2010) (orig. proceeding);
Arkoma Basin Expl. Co. v. FMF Assocs. 1990-A, Ltd., 249 S.W.3d 380, 387 & n.17 (Tex.
2008); HealthTronics, 382 S.W.3d at 577; Billman v. Mo. Pac. R.R. Co., 825 S.W.2d 525,
526 (Tex. App.—Fort Worth 1992, writ denied).
Under Texas law, “[w]e review summary judgments de novo.” BPX Operating
Co. v. Strickhausen, 629 S.W.3d 189, 195 (Tex. 2021); Peterson, Goldman & Villani, Inc. v.
Ancor Holdings, LP, 584 S.W.3d 556, 562 (Tex. App.—Fort Worth 2019, pet. denied).
We will affirm if any of the theories advanced in support of the judgment are
meritorious. Dow Chem. Co. v. Francis, 46 S.W.3d 237, 242 (Tex. 2001). But “[w]hether
23
In our review and application of California law, we do not cite or rely upon
unpublished opinions from the California courts of appeals for the precedential value
of those opinions. See Cal. R. Ct. 8.1115(a) (providing that, subject to exceptions not
applicable here, “an opinion of a California Court of Appeal or superior court
appellate division that is not certified for publication or ordered published must not
be cited or relied on by a court or a party in any other action”); cf. also Tex. R. App. P.
47.7(a) (providing that unpublished opinions in criminal cases “have no precedential
value”). Instead, we refer to such opinions for guidance regarding California courts’
application of settled law. See Cal. R. Ct. 8.1105(c) (providing the standards for
publication and providing for publication when the opinion, for example,
“[e]stablishes a new rule of law”; “[m]odifies, explains, or criticizes with reasons given,
an existing rule of law”; or “[a]ddressses or creates an apparent conflict in the law”).
14
�a contractual provision is an enforceable liquidated damages provision or an
unenforceable penalty is a question of law for the court to decide.” Phillips v. Phillips,
820 S.W.2d 785, 788 (Tex. 1991).
2. Presumption of Validity
In California, a liquidated damages provision in a commercial contract enjoys a
statutory presumption of validity:24 “[A] provision in a [commercial] contract
liquidating the damages for the breach of the contract is valid unless the party seeking
24
California enacted this pro-liquidated damages statute in 1977, effective July 1,
1978. See Cal. Civ. Code § 1671 note (Law Revision Commission comments to 1977
amendment). Before then, liquidated damages were generally presumed to be invalid,
and the proponent of a liquidated damages clause bore the burden to prove its
enforceability. El Centro Mall, LLC v. Payless ShoeSource, Inc., 94 Cal. Rptr. 3d 43, 46
(Cal. Ct. App. 2009); Radisson Hotels Int’l, Inc. v. Majestic Towers, Inc., 488 F. Supp. 2d
953, 958–59 (C.D. Cal. 2007) (order); see also Micrel, LLC v. Zinn, Nos. A157136,
A158069, 2021 WL 1259561, at *2–3 (Cal. Ct. App. Apr. 6, 2021) (not designated for
publication); Mission Linen Supply v. Carmel Country Inn, LLC, No. H039644, 2015 WL
920450, at *6 n.8 (Cal. Ct. App. Mar. 2, 2015) (not designated for publication). This is
still the case for noncommercial liquidated damages; the 1977 amendment
distinguished between commercial and noncommercial liquidated damages clauses,
and it applied the presumption of validity only to the former. See Cal. Civ. Code
§ 1671(b), (c), (d). Consequently, cases that predate the 1977 amendment are not
necessarily authoritative, nor are cases involving noncommercial contracts.
However, the California Supreme Court’s landmark opinion in Ridgley muddied
the analysis a bit by invalidating a commercial liquidated damages clause based on pre-
1977 case law. See 953 P.2d at 491 & n.5 (stating that “[n]othing in the 1977
legislation indicates an intent to abrogate Garrett’s [pre-amendment] analysis”). But
this retention of the old analysis may be partially due to the court’s reliance on Civil
Code Section 3275—a statute providing relief from contractual forfeitures—which
the Ridgley court noted was “unchanged since 1872.” Id. at 487 (recognizing that
“[t]he breaching party may raise section 3275 as an equitable defense to enforcement
of the contractual provision or as grounds for relief in an action for restitution of the
property forfeited”); see Cal. Civ. Code § 3275. Sally Beauty does not cite or rely upon
Section 3275.
15
�to invalidate the provision establishes that the provision was unreasonable under the
circumstances existing at the time the contract was made.” Cal. Civ. Code § 1671(b);
see El Centro Mall, 94 Cal. Rptr. 3d at 46. This presumption of validity is intended to
give the contracting parties “considerable leeway in determining the damages for
breach”; the liquidated damages provision need only “represent the result of a
reasonable endeavor . . . to estimate a fair average compensation for any loss that may
be sustained.”25 Cal. Civ. Code § 1671(b) note (Law Revision Commission comments
to 1977 amendment,26 subsection (b)); Ridgley, 953 P.2d at 488 (quoting Garrett, 511
P.2d at 1202).
25
Originally, the reasonable-endeavor standard referenced a “reasonable
endeavor by the parties.” Garrett v. Coast & S. Fed. Sav. & Loan Ass’n, 511 P.2d 1197,
1202 (Cal. 1973); see Ridgley, 953 P.2d at 488 (quoting Garrett). But the Law Revision
Commission’s report “did not state that the parties must make a reasonable endeavor to
estimate actual damages. Instead, its report said that the liquidated damages provision
‘must reflect’ a reasonable endeavor to do so.” Util. Consumers’ Action Network, Inc. v.
AT&T Broadband of S. Cal., Inc., 37 Cal. Rptr. 3d 827, 832–33 (Cal. Ct. App. 2006).
The California Legislature adopted this report without change when it amended
Section 1671 in 1977. Id. at 832. California courts have thus clarified that “the
reasonable endeavor test does not require both parties to a form contract to expressly
negotiate the amount of liquidated damages.” Id. at 832–33, 837.
26
The Law Revision Commission prepared a 1976 report recommending a
change to California’s liquidated damages statute, and when the California Legislature
amended Section 1671 in 1977, it adopted the Commission’s report without change.
Util. Consumers’ Action Network, 37 Cal. Rptr. 3d at 832; Guthman v. Moss, 198 Cal. Rptr.
54, 59 (Cal. Ct. App. 1984). The Commission’s comments are thus given “substantial
weight” in interpreting Section 1671(b). See Util. Consumers’ Action Network, 37 Cal.
Rptr. 3d at 832; Guthman, 198 Cal. Rptr. at 58–59.
16
� The party seeking to invalidate the liquidated damages provision must prove
that it is an unreasonable penalty, i.e., that it “bears no reasonable relationship to the
range of actual damages that the parties could have anticipated would flow from a
breach.” Ridgley, 953 P.2d at 488. The California Supreme Court has described a
penalty as a provision that “operates to compel performance of an act” by requiring a
forfeiture upon default “without regard to the damages sustained by the party
aggrieved by the breach.” Id. In short, “[a]n amount disproportionate to the
anticipated damages is termed a ‘penalty.’”27 Id. (alteration in original) (quoting Perdue
v. Crocker Nat’l Bank, 702 P.2d 503, 515 (Cal. 1985)).
27
Generally, California cases invalidating commercial liquidated damages clauses
as penalties have done so because the amount of liquidated damages—often a single
flat rate for any of a number of breaches—is significantly larger than the damages the
parties anticipated would flow from the precise breach at issue. See, e.g., Grand Prospect
Partners, L.P. v. Ross Dress for Less, Inc., 182 Cal. Rptr. 3d 235, 261 (Cal. Ct. App. 2015)
(relying on factfinding that “no harm was anticipated” and holding that “there was no
reasonable relationship” between the liquidated damages and the anticipated harm);
Purcell v. Schweitzer, 169 Cal. Rptr. 3d 90, 95–96 (Cal. Ct. App. 2014) (holding that
liquidated damages “bore no reasonable relationship to the damages that . . . could be
expected”); Dollar Tree Stores Inc. v. Toyama Partners LLC, 875 F. Supp. 2d 1058, 1072–
73 (N.D. Cal. 2012) (order) (holding liquidated damages clause unenforceable because
“it impose[d] the same $2,500 penalty for at least nine different types of breach of
varying degrees of magnitude, and because it impose[d] that penalty indefinitely”); see
also Marinakis v. Dias, No. A146458, 2016 WL 5940911, at *3 (Cal. Ct. App. Oct. 13,
2016) (not designated for publication) (holding liquidated damages “bore no
reasonable relationship” to the amount at issue); Smith v. Royal Mfg. Co., 8 Cal. Rptr.
417, 423 (Cal. Dist. Ct. App. 1960) (stating, in pre-amendment case, that “[w]here a
fixed sum is agreed upon as liquidated damages for one of several breaches of varying
degree, it is to be inferred that a penalty was intended”); Genesco, Inc. v. Visa U.S.A.
Inc., No. 3:13CV202, 2013 WL 3790647, at *21–23 (M.D. Tenn. July 18, 2013) (mem.
op.) (applying California law and citing Dollar Tree for the rule that liquidated damages
17
� “The validity of the liquidated damages provision depends upon its
reasonableness at the time the contract was made and not as it appears in retrospect”;
consequently, “the amount of damages actually suffered has no bearing on the validity
of the liquidated damages provision.”28 Cal. Civ. Code § 1671 note (Law Revision
Commission comments to 1977 amendment, subsection (b)); see Krechuniak, 217 Cal.
Rptr. 3d at 747 (quoting Commission’s comments and recognizing that they are
“entitled to great weight”); Util. Consumers’ Action Network, 37 Cal. Rptr. 3d at 832
(similar); Guthman, 198 Cal. Rptr. at 58–59 (similar); see also El Centro Mall, 94 Cal.
Rptr. 3d at 46–47 (quoting Commission’s comments as part of applicable law).
Here then, we presume that the GCAR assessment is valid and enforceable
unless Sally Beauty proves otherwise. Cf. Cal. Civ. Code § 1643 (“A contract must
are unenforceable “where a commercial contract sets the same fixed sums for various
types of breaches of the contract for delivery of good[s] under a contract”).
28
When determining if a liquidated damages clause is a penalty, some California
courts cite the following list of nonexhaustive factors: (1) the relative equality of the
bargaining power, (2) whether the parties were represented by lawyers at the time the
contract was made, (3) the anticipation of the parties that proof of actual damages
would be costly or inconvenient, (4) the difficulty of proving causation and
foreseeability, and (5) whether the liquidated damages provision is included in a form
contract. El Centro Mall, 94 Cal. Rptr. 3d at 46–47. These factors are contained in the
statutory comments to Section 1671. Cal. Civ. Code § 1671 note (Law Revision
Commission comments to 1977 amendment, subsection (b)). However, some
California courts ignore these factors. Cf., e.g., Ridgley, 953 P.2d at 491 n.5 (rejecting
argument that “a different set of rules must apply because this was an ‘arms-length
commercial transaction’”). Regardless, neither Visa nor Sally Beauty list or rely upon
this set of factors, apart from Visa’s references to the “sophisticated” nature of the
parties.
18
�receive such an interpretation as will make it lawful, operative, definite, reasonable,
and capable of being carried into effect, if it can be done without violating the
intention of the parties.”).
3. Sally Beauty’s Arguments
Sally Beauty argues that the GCAR assessment is an unenforceable penalty for
three reasons: (1) it compensates Visa for losses incurred by third parties—namely,
the issuers—and thus bears no reasonable relationship to Visa’s recoverable damages;
(2) it fails to extinguish Fifth Third’s liability for the breach; and (3) it does not
provide a reasonably certain estimate of damages because Visa retained the discretion
to unilaterally alter the GCAR program.29 There is no on-point, controlling California
precedent addressing these three arguments in the credit-card context.30 But based on
analogous case law, Sally Beauty’s arguments are unpersuasive.
Notably, none of Sally Beauty’s arguments implicate California’s traditional
29
penalty analysis, i.e., determining whether the amount of liquidated damages “bears [a]
reasonable relationship to the range of actual damages that the parties could have
anticipated would flow from a breach.” See Ridgley, 953 P.2d at 488. Although Sally
Beauty attempts to frame its first argument in terms of the traditional penalty
analysis—claiming that the GCAR assessment is disproportionate to Visa’s anticipated
damages—Sally Beauty’s argument does not actually turn on proportionality; it turns
on whether Visa could recover for the issuers’ damages at all.
Although each party points to a specific case that it claims is on point—Visa
30
to Paymentech v. Landry’s and Sally Beauty to Genesco, Inc. v. Visa U.S.A. Inc.—these
cases are distinguishable.
In Paymentech, Chase Bank sued Landry’s to recover the assessments it had paid
to Visa and Mastercard for Landry’s hack. 2020 WL 1671075, at *1. Landry’s was
required to indemnify Chase under the parties’ contract, but Landry’s claimed that
19
� a. Compensation for Damages to Third Parties
First, Sally Beauty argues that the GCAR assessment is a penalty because it is
not proportional to Visa’s own damages but instead compensates Visa for the issuers’
indemnification was not warranted because the payment brands’ assessments were
invalid penalties. Id. The Southern District of Texas held that the assessments were
valid. Id. Visa claims that Sally Beauty’s three arguments were raised by Landry’s in
the motions that led to the summary judgment order, but Sally Beauty disputes this.
Either way, the Paymentech court did not address the arguments in its opinion. Id. And
it is unclear whether the court relied on California law for its analysis. Id. This
precedent is not on point.
And the other Paymentech decisions are even less relevant to the three arguments
presented here. See Paymentech, LLC v. Landry’s Inc., No. H-18-1622, 2021 WL
1856553, at *1–2 (S.D. Tex. May 10, 2021) (discussing admissibility of expert report
and whether Landry’s breached its contract with Chase), appeal dismissed sub nom.
Paymentech, L.L.C. v. Landry’s Inc., No. 21-20259, 2021 WL 5544928 (5th Cir. June 25,
2021) (per curiam); Paymentech, LLC v. Landry’s Inc., No. H-I8-I622, 2021 WL 5154788,
at *1 (S.D. Tex. Feb. 12, 2021) (dismissing Landry’s breach of contract claims against
Visa and Mastercard due to lack of standing); see also Landry’s, 4 F.4th at 368–72
(addressing Landry’s insurer’s duty to defend).
Sally Beauty, in turn, highlights Genesco in its brief. 2013 WL 3790647, at *1–23.
In that case, Genesco experienced a data hack, and it indemnified Wells Fargo and
Fifth Third for Visa’s hack-related noncompliance fees and GCAR assessments. Id. at
*1. Genesco then sued Visa as indemnitee and subrogee of Fifth Third and Wells
Fargo, pleading many of the same claims Sally Beauty had pleaded below—including a
violation of California Business and Professional Code Section 17200 and common
law claims of unjust enrichment and restitution. Id. Visa moved to dismiss Genesco’s
Section 17200 claim and its common law claims, but the trial court denied the motion,
holding that “Genesco’s complaint state[d] viable and plausible [statutory] and
common law claims under California law.” Id. at *1–2, *23. None of the reasons the
court gave for its decision are relevant to the three liquidated damages arguments
presented here. Id. at *17–23 Genesco thus did not involve the same questions,
standards of review, or causes of action.
20
�damages.31 In its motion for summary judgment, Sally Beauty claimed that under
“basic” contract law, a party cannot recover for the losses of another, and “[a]
provision that compensates a party to a contract for alleged damages to a stranger to
the contract resulting from a breach could never be a reasonable estimate of the
nonbreaching party’s damages.”32 But this creative framing of the issue hides the ball.
A nonbreaching party can recover for foreseeable third-party damages resulting
from a breach if the nonbreaching party is liable for the third party’s damages and if
the breaching party knew of the liability at the time the contract was executed.33 See
31
Sally Beauty does not argue that the GCAR assessment is disproportionate to
the issuers’ anticipated injuries stemming from a hack.
32
In its motion for summary judgment, Sally Beauty emphasized that the issuing
banks were not third-party beneficiaries (something Visa does not dispute). See In re
TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489, 499 (1st Cir. 2009) (op. on reh’g)
(holding issuer was not a third-party beneficiary to Visa’s contract with Fifth Third).
But the fact that the issuers are not third-party beneficiaries means that they cannot
enforce the contract—which they are not attempting to do in the case before us. Sally
Beauty has not cited any case law indicating that a party to a contract can recover
consequential damages paid to nonparties only if those nonparties are third-party
beneficiaries. And on appeal, Sally Beauty does not discuss the relevance of third-
party beneficiary status at all; it merely references third-party beneficiaries in the
headings of its brief.
33
Sally Beauty cites numerous cases, claiming that a party cannot recover for
damages to nonparties, but these cases hold no such thing. See Bondanza v. Peninsula
Hosp. & Med. Ctr., 590 P.2d 22, 25–27 (Cal. 1979) (discussing pre-amendment
consumer contract and holding that debt-collection charge was penalty where the
patient–consumers agreed only to an unspecified “reasonable” fee and the hospital
and debt-collecting organizations did not attempt to carry their burden to show that
fixing the actual collection cost was impracticable); Dyer Bros. Golden W. Iron Works v.
Cent. Iron Works, 189 P. 445, 446–47 (Cal. 1920) (reversing trial court order that had
sustained defendants’ demurrers where plaintiff sought to enforce liquidated damages
21
�Lewis Jorge Constr. Mgmt., Inc. v. Pomona Unified Sch. Dist., 102 P.3d 257, 261–62 (Cal.
2004) (discussing recovery of special damages); D. A. Parrish & Sons v. Cnty. Sanitation
Dist. No. 4 of Santa Clara Cnty., 344 P.2d 883, 888 (Cal. 1959) (“[Respondent] claimed
damages against appellant on the theory that appellant’s breach of contract resulted in
[respondent] incurring liability to its subcontractors. . . . [So] to the extent respondent
was liable to them, appellant was liable to respondent.”). In fact, recovery for
damages paid to a third party is common—particularly when, as here, the parties are
participants in a multi-layered project or system, such as in “large construction
projects with layers of contractors, subcontractors, sub-subcontractors, and so on.”34
Cmty. Bank of Trenton, 887 F.3d at 815 (recognizing that the payment-card network is
analogous to a large construction project). Such recovery can take the form of an
indemnity agreement, see, e.g., Cal. Civ. Code § 2772; Prince v. Pac. Gas & Elec. Co., 202
P.3d 1115, 1119 (Cal. 2009) (discussing contractual indemnity and equitable
provision and pleaded that it had been impracticable to fix the parties’ damages,
undermining defendants’ demurrer argument that the provision was an unenforceable
penalty); Grand Prospect Partners, 182 Cal. Rptr. 3d at 259–61 (holding that contractual
provision was a penalty based on factfinding that merchant anticipated no damages
from breach with no mention of third-party liability).
34
Visa cites cases involving governmental entities (recovering for harm to the
public) and cooperative marketing associations (recovering for harm to their
members) as examples of the courts’ willingness to award damages for harm to third
parties. But these entities were awarded damages for harm inflicted on those they
represented. Visa does not represent the public or the issuing banks; as Sally Beauty
points out, Visa is a publicly traded company that represents its shareholders. The
cases involving governmental entities and marketing associations are thus
distinguishable.
22
�indemnity), it can appear as a pass-through claim in the public-works context, see, e.g.,
Howard Contracting, Inc. v. G.A. MacDonald Constr. Co., 83 Cal. Rptr. 2d 590, 602 (Cal.
1998), as modified (Jan. 20, 1999),35 or it can appear as an element of special damages
recoverable under the traditional Hadley v. Baxendale rule—the rule that governs
contract damages in the absence of an agreement to the contrary. See Lewis Jorge
Constr. Mgmt., 102 P.3d at 261–62; Hadley v. Baxendale (1854) 9 Exch. 341, 354–55, 156
Eng. Rep. 145, 151.
Under the Hadley rule—which, again, governs when a party seeks to prove its
actual breach of contract damages in court—the nonbreaching party can recover
breach of contract damages for “all the detriment proximately caused [by the breach],
or which, in the ordinary course of things, would be likely to result therefrom.” Cal.
Civ. Code § 3300; see Lewis Jorge Constr. Mgmt., 102 P.3d at 262 (noting that the Hadley
35
In the publicworks context, California law not only authorizes third-party
damages but also allows a general contractor to assert a subcontractor’s claims against
the owner on a pass-through basis. Sehulster Tunnels/Pre-Con v. Traylor Bros.,
Inc./Obayashi Corp., 4 Cal. Rptr. 3d 655, 672–73 (Cal. Ct. App. 2003); see Howard
Contracting, 83 Cal. Rptr. 2d at 602. But it is unclear whether pass-through claims are
available when the government is not involved. Compare Glass Strand Inc. v. Vincula
Int’l, Ltd., No. E051433, 2011 WL 4501043, at *4 (Cal. Ct. App. Sept. 29, 2011) (not
designated for publication) (distinguishing public-works context), and Superior Gunite v.
Ralph Mitzel Inc., 12 Cal. Rptr. 3d 423, 433 n.8 (Cal. Ct. App. 2004) (declining to
address whether pass-through claims could be asserted against a private party), with
Hathaway Dinwiddie Constr. Co. v. United Air Lines, Inc., 50 F. App’x 817, 820–21, 823–
24 (9th Cir. 2002) (allowing pass-through claims against private party), and Preston
Pipelines, Inc. v. JCW-Cypress Home Grp., No. C046055, 2006 WL 1119161, at *14 (Cal.
Ct. App. Apr. 28, 2006) (not designated for publication) (citing Howard and implying
that general contractor could pursue subcontractor’s claims against private owner on a
pass-through basis).
23
�rule has been incorporated into Section 3300). The California Supreme Court has
recognized that the Hadley rule authorizes not only general, direct damages but also
special, consequential damages “for unusual losses arising from special circumstances”
of which the nonbreaching party was aware. Lewis Jorge Constr. Mgmt., 102 P.3d at
261–62. In other words, if the breaching party knew that its breach would “resul[t] in
claims by third persons against the injured party,” then the breaching party “is liable
for the amount of any judgment against the injured party”—even if the judgment “is
based on a liquidated damage clause in the injured party’s contract with the third
party.” Restatement (Second) of Contracts § 351 cmt. c (Am. L. Inst. 1981). The
Hadley rule dates back to 1854, and it is as widespread as it is longstanding; Texas
follows the same rule, as does the Restatement (Second) of Contracts.36 See Basic Cap.
36
Indeed, when there are layers of liability—such as in the construction
context—the Texas Supreme Court has encouraged the parties to incorporate third-
party damages into their contracts with one another rather than resorting to tort
claims:
[W]e think the contractor’s principal reliance must be on the
presentation of the plans by the owner, with whom the contractor is to
reach an agreement, not the architect, a contractual stranger.
....
. . . . [I]f the architect is contractually liable to the owner for defects in
the plans, and the owner in turn has the same liability to the contractor,
the contractor is protected.
LAN/STV v. Martin K. Eby Constr. Co., 435 S.W.3d 234, 237–50 (Tex. 2014) (applying
economic loss rule and holding that contractor could not recover from architect in
tort when contractor was unsatisfied with the contract damages he recovered
24
�Mgmt., Inc. v. Dynex Com., Inc., 348 S.W.3d 894, 901–02 (Tex. 2011) (recognizing
Restatement (Second) of Contracts Section 351 as a reiteration of the Hadley rule);
Lewis Jorge Constr. Mgmt., 102 P.3d at 262; Restatement (Second) of Contracts § 351; see
also 25 C.J.S. Damages § 33 (2021).
Generally, when analyzing whether special third-party damages are recoverable
under Hadley, California courts have focused on foreseeability and timing; the fact that
the special damages will indirectly compensate a third party is a non-issue. See, e.g.,
Pac. Pine Lumber Co. v. W.U. Tel. Co., 56 P. 103, 105 (Cal. 1898) (focusing on premature
timing and holding that plaintiff could recover only for third-party liability caused by
defendant’s actions after plaintiff paid the claim); Green Wood Indus. Co. v. Forceman
Int’l. Dev. Grp., Inc., 67 Cal. Rptr. 3d 624, 632–34 (Cal. Ct. App. 2007) (focusing on
premature timing and holding that the plaintiff had not shown with sufficient
certainty that it would be forced to pay the third-party damages at issue); Morgan v.
Tzung, 278 Cal. Rptr. 221, 224–26 (Cal. Ct. App. 1991) (not designated for
publication) (recognizing that nonbreaching party’s tax liability qualified as special
damages under Civil Code Section 3300, Restatement (Second) of Contracts Section
351, and the Hadley rule, but prohibiting recovery because breaching party was not
aware of circumstances making special damages foreseeable); see also Ely v. Bottini, 3
Cal. Rptr. 756, 761–63 (Cal. Dist. Ct. App. 1960) (holding that subcontractor who
indirectly through the owner). The GCAR program’s layered-liability approach is
precisely what the supreme court recommended.
25
�caused delay was liable for delay-related damages that general contractor was
contractually obligated to pay the owner).
Here, the Visa Core Rules govern both foreseeability and timing. The Visa
Core Rules demonstrate that Fifth Third knew that PCI DSS noncompliance could
facilitate a hack, it knew that a hack would cause fraud-related issuer expenses, and it
knew that Visa would be contractually obligated to reimburse a portion of those issuer
expenses based on the GCAR formula.37 With this knowledge, Fifth Third
contractually agreed to compensate Visa for the issuer reimbursements, and Fifth
Third contractually agreed to the timing of this compensation.38 Although the GCAR
37
The issuers are required to pay a predefined percentage of their GCAR
recovery to Visa for GCAR program-administration costs. However, Sally Beauty
overlooks the administration fee entirely and alleges that the GCAR assessment “does
not even purport to calculate any [i]ntrusion-related injury incurred by Visa.”
38
The GCAR assessment is designed to compensate Visa for the issuer
reimbursements before Visa actually pays the reimbursements. But some California
courts have required actual payment of a third-party liability as a prerequisite to
recovery. See Pac. Pine Lumber, 56 P. at 105; Green Wood Indus., 67 Cal. Rptr. 3d at 632–
34; see also Shahram Holdings, Inc. v. Env’t. Geotech. Lab., Inc., No. B220201, 2011 WL
1368542, at *3–5 (Cal. Ct. App. Apr. 12, 2011) (not designated for publication); O.E.I.
Int’l, Inc. v. Yong Ming Int’l Grp., Inc., No. B201960, 2008 WL 2908077, at *2 (Cal. Ct.
App. July 30, 2008) (not designated for publication); 23 Cal. Jur. 3d Damages § 24
(2021). “This is because the fact of damage is inherently uncertain in such
circumstances”; “the existence of a mere liability is not necessarily the equivalent of
actual damage.” Green Wood Indus., 67 Cal. Rptr. 3d at 633; see also Walker v. Pac. Indem.
Co., 6 Cal. Rptr. 924, 927 (Cal. Dist. Ct. App. 1960). Here though, Sally Beauty does
not argue that Visa’s recovery was premature. Cf. Kelley v. Upshaw, 246 P.2d 23, 27
(Cal. 1952) (“The rule has long been settled that the defense that an action is
premature is in the nature of a dilatory plea not favored in the law, and that such
defense must be seasonably urged in the trial court or it is waived.”). And Visa has
26
�assessment arguably liquidated Visa’s liability before it could have recovered in the
absence of such a provision, Sally Beauty does not raise that argument.39 Rather, Sally
Beauty argues that, as a matter of law, Visa could never recover for the issuers’ injuries
because the issuers are third parties, and thus the GCAR assessment “does not even
purport to calculate any [hack]-related injury incurred by Visa.”40 This is simply not
the case.
indicated that it “already fulfilled its obligation to pass along the [a]ssessment to
issuers,” rendering the issue moot.
More to the point, the actual-payment requirement governs damage awards in the
absence of a contractual provision to the contrary. Nothing prevents a private party
from agreeing to compensate (and effectively indemnify) another for the latter’s
liability to a third party. See Cal. Civ. Code § 2772 (defining indemnity), § 2778
(providing rules of interpretation for indemnity contracts).
39
In a single sentence in its brief, Sally Beauty notes that “[i]f Visa concludes it
is unable or not in the best interests of the Visa system as a whole to assess or collect
an assessment under GCAR for any reason, issuers shall have no right to any GCAR
recovery amounts.” But this provision merely relieves Visa of liability for the GCAR
assessment if it is unable or unwilling to recover the assessment from the acquirer.
Although Visa’s liability is “contingent on Visa’s ability to collect the calculated
assessment from the responsible [a]cquirer(s),” it nonetheless exists. Cf., e.g., Hathaway
Dinwiddie Const., 50 F. App’x at 820–21 (recognizing that general contractor could
pursue claims against appellee on behalf of subcontractors based on contingent
obligation to bring subcontractors’ claims if general contractor brought its own);
Interstate Contracting Corp. v. City of Dall., 135 S.W.3d 605, 619 (Tex. 2004) (recognizing
pass-through claims in construction context and stating that “[c]onditional liability as
expressed in a subcontract . . . is sufficient to prove liability, even when the agreement
provides that the contractor has no obligation to pay the subcontractor unless and
until it recovers from the owner”). Sally Beauty has not explained why this
contingency would relieve Fifth Third (and thus Sally Beauty) of liability to Visa.
Sally Beauty claims that Visa “admits it suffered no harm.” This is not
40
accurate. Nonetheless, it is undisputed that the GCAR assessment is intended to
remedy the issuers’ harm rather than Visa’s.
27
� While California’s liquidated damages statute prohibits unreasonable penalties
that have “no reasonable relationship to the range of actual damages that the parties
could have anticipated,” Ridgley, 953 P.2d at 488, it does not prohibit the parties from
liquidating the special damages that one of them owes to a third party. See Cal. Civ.
Code § 1671(b) (Law Revision Commission comments to 1977 amendment,
subsection (b)). Sally Beauty does not appear to dispute that the GCAR assessment
bears a reasonable relationship to the damages that Visa anticipated paying to the
issuers as a result of Fifth Third’s breach. See Ridgley, 953 P.2d at 488. We therefore
reject Sally Beauty’s first argument.
b. Failure to Extinguish Liability
In its second argument, Sally Beauty claims that the GCAR assessment is a
penalty because it does not extinguish all of Fifth Third’s liability for the breach—
either to the issuers or to Visa. Regarding the issuers, Sally Beauty argues that the
assessment does not limit an issuer’s right to sue for the same breach. And as to Visa,
Sally Beauty points to two other liquidated damages provisions in the Visa Core
Rules—a noncooperation fee and a noncompliance fee—which Sally Beauty claims
Visa could use to seek duplicative compensation for the same breach.41 Although
Visa claims that these provisions address different injuries, Sally Beauty argues that
Under the Visa Core Rules, the noncompliance assessments are “in addition
41
to enforcement rights available to Visa under other provisions of the Visa [Core]
Rules, or through other legal or administrative procedures.”
28
�California law prohibits multiple recoveries for a single breach, even if the recoveries
compensate for distinct injuries. Sally Beauty thus argues that a liquidated damages
clause is required to “represent the total extent of liability for a contract breach” and
that because the GCAR assessment does not do so, the assessment is unreasonable.
But Sally Beauty’s argument was not fully preserved, it is entirely hypothetical, and it is
based on an incorrect understanding of California law.
First, Sally Beauty did not preserve this ground as to the issuers. Sally Beauty’s
motion for summary judgment claimed that the GCAR assessment was required to
extinguish Fifth Third’s liability to Visa; it did not mention Fifth Third’s liability to the
issuers. See Rex Performance Prods., LLC v. Tate, No. 02-20-00009-CV, 2020 WL
7776795, at *10 (Tex. App.—Fort Worth Dec. 31, 2020, pet. denied) (mem. op.) (“It
is fundamental that a motion for summary judgment must stand or fall on the
grounds it specifically and expressly sets forth.”).
Second, even if it had fully preserved its argument, Sally Beauty’s double-
recovery argument is hypothetical—both as to the issuers and as to Visa. Sally Beauty
does not claim that Visa used the GCAR assessment to compensate issuers that had
previously recovered from Fifth Third, nor does Sally Beauty argue that any issuers
have successfully recovered from Fifth Third in the time since. If, at some point in
the future, the issuers seek compensation from Fifth Third for the same damages
covered by the GCAR assessment, the relevant court can consider the issuers’ legal
claims and determine whether any double-recovery principles should be applied (e.g.,
29
�whether Fifth Third is entitled to a credit).42 Cf. Patterson v. Planned Parenthood of Hous.
& Se. Tex., Inc., 971 S.W.2d 439, 443 (Tex. 1998) (“[W]aiting for cases’ timely factual
development is also essential to the proper development of the state’s jurisprudence.
Litigation based upon hypothetical possibility rather than concrete fact is apt to be
poor litigation.” (internal citations and quotation marks omitted)). Right now, Sally
Beauty asks us to prohibit the issuers from recovering anything based on the
hypothetical risk that they might seek impermissibly duplicative damages in the future.
There is no legal or logical support for this request. See Fein v. Permanente Med. Grp.,
695 P.2d 665, 676–77 (Cal. 1985) (“Contrary to defendant’s contention, plaintiff’s
recovery of such future lost wages will not inevitably subject defendant to a ‘double
payment’ in the event plaintiff’s heirs bring a wrongful death action at some point in
42
It seems unlikely that the issuers will sue Fifth Third in the future given the
applicable statute of limitations, the economic loss rule, and the fact that the issuers
are not third-party beneficiaries of Visa’s contract with Fifth Third. See, e.g., Cal. Civ.
Proc. Code § 337 (providing four-year statute of limitations for breach of contract);
Tex. Civ. Prac. & Rem. Code Ann. § 16.051 (providing four-year residual statute of
limitations applicable to most breaches of contract); see Cmty. Bank of Trenton, 887 F.3d
at 811–21, 826 (declining to recognize issuing banks’ tort claims against hacked
merchant because “the claimed conduct and losses are subject to [Visa’s and
MasterCard’s] networks of contracts,” and recognizing that the First and Third
Circuits had held similarly); TJX, 564 F.3d at 498–99 (applying economic loss rule to
bar issuers’ negligence claim against hacked merchant and Fifth Third). Amici have
highlighted several additional obstacles to such a lawsuit, including the difficulty of
determining and proving—on an account-by-account basis—that a specific data
breach resulted in the actual theft of a given customer’s exposed credit-card
information. Although such considerations do nothing to change the terms of the
contract at issue, they nonetheless diminish the likelihood of the hypothetical double
recovery that Sally Beauty anticipates.
30
�the future. . . . [Rather,] an appropriate set-off may be made in the later wrongful
death action.”); Overly v. Ingalls Shipbuilding, Inc., 87 Cal. Rptr. 2d 626, 631 (Cal. Ct.
App. 1999) (relying on Fein and rejecting argument “that permitting the [plaintiffs] to
recover future economic damages in this case will result in a double recovery because
the same damages are currently being sought in a [third-party] wrongful death case”);
Monster Film Ltd. v. Martinen, No. 2:16-CV-01414-ODW, 2017 WL 8220213, at *3
(C.D. Cal. Mar. 3, 2017) (order denying defendant’s motion to dismiss) (rejecting
argument that future breach of contract damages might duplicate conversion damages
at issue because “the bar against double recovery for the same harm is settled law”
and the future court could “account for any recovery that [plaintiff] obtains in this
action”).
Similarly, Sally Beauty’s arguments regarding Visa are purely hypothetical. Sally
Beauty does not claim that Visa actually imposed the allegedly duplicative
noncooperation and noncompliance fees.43 Again, if at some point in the future Visa
seeks duplicative damages from Fifth Third, any relevant double-recovery principles
may be considered at that time. But Visa is not prohibited from recovering its issuer
reimbursements based on a hypothetical risk that Visa might impose impermissible
fees in the future. See Keshbaf Knitting, Inc. v. Shoshani, No. B204935, 2008 WL
43
The parties’ briefs reference the $25,000 noncompliance fee that Visa
imposed on Vantiv—Fifth Third’s payment processer. Visa’s contract with Vantiv is
not before this court, nor are we asked to determine the validity of this assessment.
31
�5394985, at *5 (Cal. Ct. App. Nov. 24, 2008) (not designated for publication) (holding
liquidated damages clause was not a penalty and rejecting hypothetical: “[appellant]
poses an interesting hypothetical, but it is nothing more. . . . [appellant] cites no
authority that compels us to ignore the actual circumstances of the case, as opposed
to a hypothetical, in determining whether there has been an unlawful forfeiture”); see
also Bose Corp. v. Ejaz, 732 F.3d 17, 25 (1st Cir. 2013) (“[A] hypothetical larger range,
separated from the actual facts and the amount sought, does not make a clause
unreasonable. Rather, courts examine for reasonableness the amount of liquidated
damages actually sought.”); In re Premier Golf Props., LP, 564 B.R. 660, 696–700 (Bankr.
S.D. Cal. 2016) (holding that liquidated damages clause was not a penalty and rejecting
hypothetical: “[T]he court need not decide what remedies Claimant hypothetically
possessed for, say, Debtor’s removing a bar stool. The relevant default here is the
failure to pay the delinquent property taxes.”).
Third, Sally Beauty is wrong on the law. Sally Beauty argues that “if a contract
purports to allow multiple recoveries for the same contract breach, then the liquidated
damages provision is an unenforceable penalty regardless of whether the recoveries
address different injuries.” But the California Supreme Court has explained that the
rule against double recovery distinguishes between injuries rather than causes of action:
Regardless of the nature or number of legal theories advanced by the
plaintiff, he is not entitled to more than a single recovery for each
distinct item of compensable damage supported by the evidence. . . .
....
32
� In contrast, where separate items of compensable damage are
shown by distinct and independent evidence, the plaintiff is entitled to
recover the entire amount of his damages, whether that amount is
expressed by the jury in a single verdict or multiple verdicts referring to
different claims or legal theories.
Tavaglione v. Billings, 847 P.2d 574, 580 (Cal. 1993). This is consistent with the law
elsewhere in the nation; generally, “[a] provision for liquidated damages does not
prevent the recovery of actual damages caused by events that are not covered by the
liquidated damages clause unless the contract expressly precludes the recovery of
damages other than those enumerated.” 22 Am. Jur. 2d Damages § 539; see Palmco Corp.
v. Am. Airlines, Inc., 983 F.2d 681, 687 (5th Cir. 1993) (applying Texas law and holding
that “[b]ecause [appellant’s] liquidated and cover damages redressed different injuries,
and thus were not duplicative, the magistrate judge erred in concluding that
[appellant] was not entitled to receive both damage remedies”).
Here, the two allegedly duplicative liquidated damage clauses that Sally Beauty
points to—the noncooperation fee and the noncompliance fee—do not compensate
Visa for its obligation to reimburse the issuers for fraud-related damages resulting
from a hack. The noncooperation fee (1) compensates Visa for its own damage
(rather than its obligation to pay the issuers), and (2) redresses a compromised entity’s
“refus[al] to allow a forensic investigation.” And the noncompliance fee
(1) compensates Visa for its own damage, and (2) redresses any breach of the Visa
Core Rules, “regardless of the criminal attack, thus distinguishing it from the
assessmen[t].” See Spec’s Fam. Partners, Ltd. v. First Data Merch. Servs. LLC, 777 F.
33
�App’x 785, 789 (6th Cir. 2019) (rejecting argument that merchant’s payment of
noncompliance fee made it liable to indemnify acquirer for Visa’s issuer-
reimbursement assessment).
Moreover, to the extent that Sally Beauty condemns the GCAR program based
on Visa’s hypothetical ability to impose the allegedly overlapping noncompliance and
noncooperation fees, its argument is undermined by one of its own cited cases: El
Centro Mall. 94 Cal. Rptr. 3d at 44–48. In that case, Payless stopped operating before
the end of its lease, and its landlord—El Centro Mall—assessed liquidated damages of
10 cents per square foot per day, totaling approximately $98,000. Id. at 44–46. The
parties’ contract described the liquidated damages as “the minimum
damages . . . suffered . . . including damages as a result of Landlord’s failure to receive
Percentage Rental [i.e., a percentage of Payless’s monthly sales].” Id. at 45, 47. But
the contract expressly authorized El Centro to recover these liquidated damages in
addition to Payless’s percentage-rental payments. Id. at 45. Plus, the contract
included a separate formula to determine the amount of percentage rental due when
the landlord terminated the lease based on the tenant’s default. Id. at 47.
The court of appeals recognized that the percentage-rental formula rendered
the liquidated damages provision an “unnecessary” and duplicative penalty “to the
34
�extent considered only as a basis for estimating percentage[-]rental damages.”44 Id.
But the challenged provision encompassed other damages as well; it included “the
anticipated loss of the synergy, goodwill, and patronage Payless [would have]
provide[d] by continuing to operate in the retail center.” Id. at 47–48. Because the
liquidated damages provision encompassed these other injuries and because Payless
failed to carry its burden to prove that 10 cents per square foot “did not represent a
reasonable estimate of the actual damages a retail center would suffer if a tenant like
Payless ceased operations,” the liquidated damages provision was enforceable. Id. at
48.
El Centro thus demonstrates that a liquidated damages provision is not
invalidated by the mere existence of a second, partially overlapping damages
provision. So even if the GCAR assessment did partially overlap with the
noncompliance fee or the noncooperation fee by compensating for some of the same
injuries, the mere existence of such overlap would not invalidate the assessment. This
is particularly applicable where, as here, Visa did not impose the noncompliance fee or
the noncooperation fee on Fifth Third anyway.45 See also id. at 45 (noting that El
Centro did not seek separate percentage-rental recovery).
44
El Centro did not seek additional percentage-rental payments; it sought only
the $98,000. El Centro Mall, 94 Cal. Rptr. 3d at 44–45. Thus, as here, the allegedly
duplicative nature of the liquidated damages clause was purely hypothetical.
45
Although Visa theoretically could have assessed this noncompliance fee
against Fifth Third, it did not do so.
35
� In sum, the GCAR assessment was intended to capture the damages that Visa
was obligated to pay to issuing banks, and the assessment was not required to
extinguish Fifth Third’s liability for other items of compensable damages. We need
not consider what hypothetically impermissible amounts Visa or the issuers might
pursue in the future. Sally Beauty’s second argument is unconvincing.
c. Visa’s Discretion to Modify the Visa Core Rules
In Sally Beauty’s third and final liquidated damages argument, it claims that the
GCAR assessment is a penalty because Visa retained the discretion to unilaterally
change the GCAR program—or anything else in the Visa Core Rules. Therefore,
Sally Beauty contends that the assessment did not provide a reasonably certain
estimate of the anticipated damages.
Sally Beauty does not claim that Visa actually exercised this discretion. And it
is unclear why the mere existence of Visa’s unexercised discretion to alter the
liquidated damages provision would render the agreed-upon provision disproportional
to the “range of actual damages that the parties could have anticipated would flow
from a breach.”46 See Ridgley, 953 P.2d at 488.
Contributing to this confusion, Sally Beauty claims that a liquidated damages
provision constitutes a disproportionate penalty if it is not “fixed and certain.” But
To the extent that Sally Beauty urges us to consider what the liquidated
46
damages would have been if Visa had exercised its discretion, the argument is entirely
hypothetical. Cf. Patterson, 971 S.W.2d at 443.
36
�the “fixed and certain” language that Sally Beauty quotes comes into play when a
court is determining whether a contractual provision qualifies as liquidated damages
subject to Section 1671 at all—something Sally Beauty has already conceded. Ruwe v.
Cellco P’ship, 613 F. Supp. 2d 1191, 1196–99 (N.D. Cal. 2009) (order denying
defendant’s motion to dismiss) (holding that plaintiffs pleaded facts showing that the
contract provision was sufficiently “fixed and certain” to constitute a liquidated
damages clause, thus subjecting the provision to Section 1671 and allowing plaintiffs’
penalty claim to escape a motion to dismiss); see also Free Range Content, Inc. v. Google
Inc., No. 14-CV-02329-BLF, 2016 WL 2902332, at *10–11 (N.D. Cal. May 13, 2016)
(order granting in part and denying in part motion to dismiss) (analyzing whether “the
withheld sum is insufficiently certain for the Challenged Terms to constitute a
liquidated damages provision,” then after concluding that it was sufficiently certain,
holding that whether the liquidated damages provision was a penalty under Section
1671(b) was a fact issue for the jury); ABI, Inc. v. City of Los Angeles, 200 Cal. Rptr. 563,
573 (Cal. Ct. App. 1984) (using “reasonable certainty” language and analyzing whether
a contract provision constituted liquidated damages and thus qualified for Section
1671’s “favorable treatment”). The parties agree that the GCAR program is a
liquidated damages provision governed by Section 1671; they disagree regarding
whether those liquidated damages constitute a penalty. So Sally Beauty has already
implicitly conceded that the GCAR program is sufficiently “fixed and certain” to
qualify as liquidated damages.
37
� Instead, Sally Beauty appears to muddy the penalty issue with illusoriness—the
general principle that provides that when a contract grants one party unbridled
discretion, it is illusory because “the party having such discretion makes no real
promise to pay or to perform.” See Automatic Vending Co. v. Wisdom, 6 Cal. Rptr. 31, 33
(Cal. Dist. Ct. App. 1960). An illusory contract lacks consideration or mutuality, but it
is not necessarily a penalty as Sally Beauty contends. See Mattei v. Hopper, 330 P.2d
625, 626–29 (Cal. 1958) (discussing enforceability of contract that conditioned one
party’s performance on its “satisfaction” and recognizing that “[w]hether these
problems are couched in terms of mutuality of obligation or the illusory nature of a
promise, the underlying issue is the same[:] consideration”); 24 Hour Fitness, Inc. v.
Superior Ct., 78 Cal. Rptr. 2d 533, 541–42 (Cal. Ct. App. 1998) (orig. proceeding)
(rejecting former employee’s argument that contract and arbitration clause lacked
consideration or mutuality because former employer maintained the unilateral right to
modify); Automatic Vending, 6 Cal. Rptr. at 33 (recognizing that a contract truly
granting one party unbridled discretion lacks consideration).
Regardless, under California law, negating contracts through findings of
illusoriness is not favored. So “[w]hen a party is given absolute discretion by express
contract language, the courts will imply a covenant of good faith and fair dealing to
limit that discretion in order to create a binding contract and avoid a finding that the
promise is illusory.” Hester v. Pub. Storage, 263 Cal. Rptr. 3d 299, 309 n.3 (Cal. Ct. App.
2020) (quoting Storek & Storek, Inc. v. Citicorp Real Estate, Inc., 122 Cal. Rptr. 2d 267,
38
�278 (Cal. Ct. App. 2002), and recognizing that a contract provision giving a defendant
the “unqualified right to void the sale” is not facially invalid); see Casas v. Carmax Auto
Superstores Cal. LLC, 169 Cal. Rptr. 3d 96, 99 (Cal. Ct. App. 2014) (holding that,
“[u]nder California law, . . . even a modification clause not providing for advance
notice does not render an agreement illusory, because the agreement also contains an
implied covenant of good faith and fair dealing”); Serpa v. Cal. Sur. Investigations, Inc.,
155 Cal. Rptr. 3d 506, 516 (Cal. Ct. App. 2013) (holding that “the implied covenant of
good faith and fair dealing limits the employer’s authority to unilaterally modify the
arbitration agreement and saves that agreement from being illusory and thus
unconscionable”); 24 Hour Fitness, 78 Cal. Rptr. 2d at 541–42 (holding that former
employer’s “discretionary power to modify the terms of the personnel handbook in
writing indisputably carrie[d] with it the duty to exercise that right fairly and in good
faith,” and, “[s]o construed, the modification provision does not render the contract
illusory”).47 “The implied covenant of good faith prevents one contracting party from
‘unfairly frustrating the other party’s right to receive the benefits of the agreement
actually made.’” Serpa, 155 Cal. Rptr. 3d at 514 (quoting Guz v. Bechtel Nat’l Inc., 8 P.3d
47
See also Ashbey v. Archstone Prop. Mgmt., Inc., 612 F. App’x 430, 432 (9th Cir.
2015) (mem. op.) (applying California law and holding that “unilateral modification
provisions . . . are not substantively unconscionable because they are always subject to
the limits ‘imposed by the covenant of good faith and fair dealing implied in every
contract’” (quoting Serpa, 215 Cal. Rptr.3d at 514)); Apex Compounding Pharm., LLC v.
eFax Corp., No. LA CV16-05165 JAK (JPRX), 2018 WL 2589096, at *12 (C.D. Cal.
Apr. 26, 2018) (order) (similar, quoting Ashbey).
39
�1089, 1110 (Cal. 2000)); see Storek & Storek, 122 Cal. Rptr. 2d at 276 (similar,
recognizing that the covenant of good faith and fair dealing is implied in every
contract). In other words, the implied good-faith-and-fair-dealing covenant
sufficiently confines the promised performance to make it valid consideration. See
Mattei, 330 P.2d at 627 (recognizing “that the promisor’s duty to exercise his judgment
in good faith is an adequate consideration to support the contract”); Storek & Storek,
122 Cal. Rptr. 2d at 281 (“The covenant of good faith is implied in order to set a limit
on the promisor’s ability to express dissatisfaction and thereby supply adequate
consideration to support the contract.”).
This implied covenant applies not only to save the contract as a whole but also
to cabin individual provisions within the contract—such as conditions precedent,
arbitration provisions, or provisions that give one party unfettered discretion to void a
sale. See Mattei, 330 P.2d at 627 (citing cases in which discretion “dealt with
performances to be received as parts of the agreed exchanges,” and holding that the
same good-faith covenant applied to conditions precedent; “the fact that . . . [the
discretionary aspect] w[as] not part of the performance to be rendered [wa]s not
material”); Hester, 263 Cal. Rptr. 3d at 307, 309 n.3 (recognizing that contract
provision giving seller unqualified right to void sale was not facially invalid and could
be saved by implied covenant); 24 Hour Fitness, 78 Cal. Rptr. 2d at 541–42 (holding
that former employer’s discretion to modify terms of personnel handbook “carrie[d]
40
�with it the [implied] duty to exercise that right fairly and in good faith” and thus did
not render illusory the arbitration clause within the handbook).
Here then, Visa’s discretion to unilaterally modify the Visa Core Rules was
restrained by the implied covenant of good faith and fair dealing; the discretion did
not render Visa’s contract with Fifth Third illusory. And to the extent that Sally
Beauty argues that Visa could have used its discretion to impose a disproportionately
high GCAR assessment, Sally Beauty’s argument is again undermined by Visa’s
implied covenant of good faith and fair dealing. Visa—implicitly limited by this
covenant—could not have exercised its discretion to impose a disproportionately
high, penal GCAR assessment. Sally Beauty’s third argument is invalid.
4. Conclusion
In sum, the GCAR assessment is presumed to be valid and enforceable, and
Sally Beauty has not advanced any arguments that overcome this presumption by
demonstrating that the assessment is a penalty. The assessment is not invalid because
it estimates Visa’s payments to the issuers, nor is it invalid because it captures only
one aspect of Fifth Third’s liability for the breach, nor because Visa had the discretion
to unilaterally alter the contract. Sally Beauty has not shown that the GCAR
assessment “b[ore] no reasonable relationship to the range of actual damages that the
parties could have anticipated would flow from a breach.” See Ridgley, 953 P.2d at 488.
Because the GCAR assessment is presumed to be valid and enforceable, and
because Sally Beauty has not advanced any arguments that overcome this presumption
41
�by demonstrating that the assessment is a penalty, the liquidated damages clause is
enforceable. See Cal. Civ. Code § 1671(b). We sustain Visa’s first issue and reverse
the trial court’s breach of contract judgment.
B. Fraud Counterclaim: Does Visa Have Standing, and Did It State a Claim?
In addition to granting summary judgment on Sally Beauty’s breach of contract
claim, the trial court also granted Sally Beauty’s motion for summary judgment on
Visa’s fraud counterclaim. See Tex. R. Civ. P. 166a(b). Sally Beauty argued below, as
it argues here, that Visa does not have standing to bring the fraud counterclaim48 and
that even if it did, four of the six elements of Visa’s pleaded fraud counterclaim fail as
a matter of Texas law. See Tex. R. Civ. P. 166a(c).
We begin with the standing issue because it implicates our subject matter
jurisdiction. Heckman v. Williamson Cnty., 369 S.W.3d 137, 150–51 (Tex. 2012); Tex.
Ass’n of Bus. v. Tex. Air Control Bd., 852 S.W.2d 440, 443–45 (Tex. 1993).
1. Standing
Standing is a constitutional prerequisite to a court’s subject matter jurisdiction
over a plaintiff’s claim. Heckman, 369 S.W.3d at 150; Tex. Ass’n of Bus., 852 S.W.2d at
443–45; see Tex. Const. art. I, § 13 (requiring due course of law for “every person for
48
It is unclear from the record whether Sally Beauty challenged Visa’s standing
in the trial court or whether Sally Beauty merely challenged Visa’s satisfaction of the
damages element of Visa’s fraud counterclaim. But either way, “[s]ubject matter
jurisdiction is an issue that may be raised for the first time on appeal; it may not be
waived by the parties.” Tex. Ass’n of Bus. v. Tex. Air Control Bd., 852 S.W.2d 440, 445
(Tex. 1993).
42
�an injury done him”).49 “In Texas, the standing doctrine requires a concrete injury to
the plaintiff and a real controversy between the parties that will be resolved by the
court.”50 Meyers v. JDC/Firethorne, Ltd., 548 S.W.3d 477, 484 (Tex. 2018) (quoting
Heckman, 369 S.W.3d at 154).
Sally Beauty challenges the concrete-injury requirement. This portion of the
standing doctrine requires the plaintiff to “plead facts demonstrating that he, himself
(rather than a third party or the public at large), suffered the injury.” Meyers, 548
S.W.3d at 485 (quoting Heckman, 369 S.W.3d at 155). Sally Beauty alleges that Visa
lacks standing to bring its fraud claim because Visa’s “‘injury’ consists solely of costs
[that] Visa voluntarily incurred to address a purported risk of harm to third parties”;
according to Sally Beauty, Visa has admitted that it sustained no damage itself.
But this argument is unavailing. Visa pleaded multiple injuries that it directly
sustained as a result of Sally Beauty’s alleged fraud, and Sally Beauty admitted as much
in its motion for summary judgment.51 Visa pleaded that it had “incurred costs and
expenses while investigating the [d]ata [b]reach and taking steps necessary to protect
the Visa Network” and that the breach “compromis[ed] the integrity of the payment
Texas’s standing doctrine parallels the federal doctrine for Article III standing.
49
Heckman, 369 S.W.3d at 154.
50
The parties agree that Texas law governs Visa’s fraud counterclaim.
51
Sally Beauty’s motion for summary judgment acknowledged that Visa sought
to recover, among other things (1) costs Visa incurred “to prevent future harm,” and
(2) “damage to the ‘integrity of the payment card ecosystem.’”
43
�card ecosystem upon which payment transactions using Visa-branded payment cards
rely, damaging Visa.”52 See Frost Nat’l Bank v. Fernandez, 315 S.W.3d 494, 502–03 (Tex.
2010) (recognizing that “a plaintiff’s good faith allegations are used to determine the
trial court’s jurisdiction” and that “[a] court may presume the truth of allegations
supportive of standing to determine standing”). Although Sally Beauty accurately
observes that Visa’s investigation and mitigation of the hack benefitted third-party
network participants, such indirect benefits to Visa’s customers merely reflect the
nature of its business.
Visa is in the business of providing secure financial transactions, and “the value
of the services that . . . [the Visa] platform provides increases as the number of
participants on both sides of the platform increase.”53 Ohio v. Am. Express Co., 138
52
Sally Beauty can and does dispute whether Visa can prove such injuries, but
“[a] plaintiff does not lack standing simply because he cannot prevail on the merits of
his claim; he lacks standing because his claim of injury is too slight for a court to
afford redress.” Meyers, 548 S.W.3d at 484–85.
53
As the United States Supreme Court has recognized, Visa “sell[s] its services
only if a merchant and cardholder [or here, issuing bank] both simultaneously choose
to use the network[;] . . . whenever [Visa’s] credit-card network sells one transaction’s
worth of card-acceptance services to a merchant it also must sell one transaction’s
worth of . . . services to a cardholder [or here, an issuing bank].” Ohio v. Am. Express
Co., 138 S. Ct. 2274, 2286 (2018) (describing credit-card network as a two-sided
transaction platform and focusing on the roles of merchants and cardholders); see also
Pulse Network, LLC v. Visa, Inc., No. CV H-14-3391, 2018 WL 9850158, at *1 (S.D.
Tex. Aug. 31, 2018) (“The market for debit routing is two-sided—issuers and
merchants.”); Joshua D. Wright, Mastercard’s Single Entity Strategy, 12 Harv. Negot. L.
Rev. 225, 227 (2007) (explaining that, in two-sided markets, “two different groups of
customers are connected by an intermediary, and that the value to each group
depends on the size of the other group”).
44
�S. Ct. 2274, 2280–81 (2018) (describing credit-card platform and discussing two-sided
platforms generally). Visa alleged that Sally Beauty’s fraud caused a Visa network
hack that compromised the security of Visa’s transactions—decreasing the value of
Visa’s services and spooking (while also separately harming) Visa network
participants, such as issuing banks. Visa thus claimed that the fraud caused direct
harm to the value of its services, and it pleaded fraud-related damages for expenses it
had incurred to investigate and repair the security of its compromised network, i.e.,
expenses required to restore the value of the secure transactional services that
constitute Visa’s bread and butter. Such pleadings were sufficient to show that the
company itself, rather than a third party or the public at large, suffered injury. Cf.
M.D. Anderson Cancer Ctr. v. Novak, 52 S.W.3d 704, 707–08 (Tex. 2001) (holding that
plaintiff lacked standing when plaintiff received an allegedly fraudulent mailer seeking
donations, but plaintiff did not believe the fraudulent claims and did not donate).
Visa has pleaded a concrete injury and has standing to maintain its fraud action.
2. Failure to State a Claim
Sally Beauty contends that, even if Visa has standing, Visa’s live counterpetition
fails to state a claim for fraud because four of the six elements of Visa’s pleaded claim
fail as a matter of Texas law. See Tex. R. Civ. P. 166a(c). Sally Beauty moved for
45
�summary judgment on this basis, arguing that Visa’s fraud pleadings failed to state a
claim.54
a. Standard of Review
A defendant may obtain summary judgment by conclusively negating at least
one element of the plaintiff’s claim. Murphy Expl. & Prod. Co.–USA v. Adams, 560
S.W.3d 105, 108 (Tex. 2018); Frost Nat’l Bank, 315 S.W.3d at 508–09; see Tex. R. Civ.
P. 166a(b)–(c). Although the defendant typically accomplishes this task by offering
conclusive summary judgment evidence disproving the challenged element or
elements, Sally Beauty sought to conclusively negate elements of Visa’s fraud
counterclaim on the pleadings alone.
Generally, it is improper to grant summary judgment on a deficient pleading’s
failure to state an essential element of a cause of action when the deficiency can be
attacked through a special exception and cured by amendment. In re B.I.V., 870
S.W.2d 12, 13–14 (Tex. 1994); Tex. Dep’t of Corr. v. Herring, 513 S.W.2d 6, 9–10 (Tex.
1974); Slaven v. Livingston, No. 02-17-00266-CV, 2019 WL 983693, at *5 (Tex. App.—
Fort Worth Feb. 28, 2019, no pet.) (mem. op.); Heil Co. v. Polar Corp., 191 S.W.3d 805,
54
In its summary judgment motion, Sally Beauty clarified that it was not asking
the trial court to “decid[e] whether there [wa]s enough factual evidence for the issues
in question to be presented to a jury,” rather, Sally Beauty claimed that the issues
presented were matters of law that could resolve the case before the parties and the
court expended unnecessary time and expense litigating it. And in contemporaneous
filings—responding to Visa’s competing motion for summary judgment—Sally Beauty
objected to the trial court’s deciding fact-related issues “prior to the parties[’] having
engaged in any discovery.”
46
�817 (Tex. App.—Fort Worth 2006, pet. denied). But if the pleading deficiency cannot
be cured by amendment, summary judgment on the pleadings may be proper.55 See
Friesenhahn v. Ryan, 960 S.W.2d 656, 658 (Tex. 1998); Slaven, 2019 WL 983693, at *5;
Heil, 191 S.W.3d at 817.
When reviewing a pleading-deficiency summary judgment, we consider the
pleadings de novo, “taking all allegations, facts, and inferences in the pleadings as true
and viewing them in a light most favorable to the pleader.” Natividad v. Alexsis, Inc.,
875 S.W.2d 695, 699 (Tex. 1994); Slaven, 2019 WL 983693, at *5. We will affirm only
if, even assuming the plaintiff can prove all the allegations contained in its petition,
the petition is legally insufficient to state a cause of action. Natividad, 875 S.W.2d at
699; Carter v. Abbyad, 299 S.W.3d 892, 895 (Tex. App.—Austin 2009, no pet.); Hall v.
Stephenson, 919 S.W.2d 454, 467 (Tex. App.—Fort Worth 1996, writ denied).
b. Elements
A valid fraud claim includes six elements: (1) the defendant made a material,
actionable representation; (2) the representation was false; (3) the defendant knew the
representation was false or made it recklessly without any knowledge of its truth;
55
Visa did not argue that any pleading deficiency could be cured, nor did it seek
leave to amend its petition. “[A] nonmovant waives a complaint that summary
judgment was improperly granted [on the pleadings] by failing to raise it in the
summary judgment proceeding at trial.” Conyer v. Reyes, No. 02-12-00440-CV, 2014
WL 1704216, at *1 (Tex. App.—Fort Worth Apr. 30, 2014, no pet.) (mem. op.).
Thus, to the extent that Visa could have cured any pleading deficiencies by
amendment, Visa waived the issue. See Slaven, 2019 WL 983693, at *5.
47
�(4) the defendant intended to induce the plaintiff to act upon the representation;
(5) the plaintiff actually and justifiably relied upon the false representation; and (6) the
plaintiff thereby suffered injury.56 See JPMorgan Chase Bank, N.A. v. Orca Assets G.P.,
L.L.C., 546 S.W.3d 648, 653 (Tex. 2018) (listing in four elements); Aquaplex, Inc. v.
Rancho La Valencia, Inc., 297 S.W.3d 768, 774 (Tex. 2009) (listing in six elements);
Hannon, Inc. v. Scott, No. 02-10-00012-CV, 2011 WL 1833106, at *6 (Tex. App.—Fort
Worth May 12, 2011, pet. denied) (mem. op.) (listing in five elements); O’Connor’s
Texas Causes of Action ch. 12-A, § 1.1 (2021) (listing in seven elements).
Sally Beauty’s motion for summary judgment challenged four of these six
elements. Sally Beauty argued below, as it does here, that (1) two of the statements in
its 2014 AOC—the two statements upon which Sally Beauty alleges Visa’s fraud claim
relies—were not actionable representations; (2) “as Sally Beauty did not make either
statement to Visa, Sally Beauty could not have intended Visa to rely on the
To satisfy these elements, Visa’s live counterpetition alleged that (1) in Sally
56
Beauty’s 2014 AOC and other AOCs, Sally Beauty represented that it was in
compliance with PCI DSS protocols and that it would remain in compliance; (2) Sally
Beauty was not in compliance with the PCI DSS protocols at the time of the 2014
AOC, and Sally Beauty did not intend to comply; (3) Sally Beauty knew that it was not
in compliance and had no intention of complying; (4) Sally Beauty submitted the
AOC to Visa and intended for Visa to rely on it; (5) justifiably relying on the AOC,
Visa did not assess noncompliance fees, and it allowed Sally Beauty to continue
accessing the Visa network; and (6) as a result of such reliance, when Sally Beauty’s
noncompliance facilitated a hack, Visa was forced to spend money investigating,
mitigating, and repairing the harm to its network.
48
�statements”; (3) “Visa did not act in reliance,” and “[a]ny reliance [wa]s unjustified”;
and (4) “Visa has pleaded no cognizable damages.”57 [Emphasis altered.]
(1) Actionable Representation
First, Sally Beauty argues that Visa cannot base its fraud claim on the 2014
AOC because the relied-upon statements within the AOC are not actionable, factual
representations. Sally Beauty targets two statements from the AOC in particular:
(1) that Sally Beauty is “in full compliance with the PCI DSS”;58 and (2) that Sally
Beauty has “read the PCI DSS and recognizes that they must maintain full PCI DSS
compliance at all times.” Sally Beauty argues that the first statement “was not even a
statement by Sally Beauty”; that the second was “at most, a statement of future
intent”; and that both statements “represent opinions and legal conclusions, not
facts.”
Sally Beauty’s brief also disputes a fifth element: falsity. Sally Beauty argues
57
that Visa has “neither alleged nor shown any evidence” that the statement was untrue
at the time it was made. But Sally Beauty did not raise this argument below, so it
cannot serve as a basis for the trial court’s summary judgment. See Tex. R. Civ. P.
166a(c) (providing for summary judgment if “the moving party is entitled to judgment
as a matter of law on the issues expressly set out in the motion or in an answer or any
other response”); Black v. Victoria Lloyds Ins. Co., 797 S.W.2d 20, 27 (Tex. 1990) (“A
summary judgment movant may not be granted judgment as a matter of law on a
cause of action not addressed in a summary judgment proceeding.”).
Sally Beauty’s brief frames this as a challenge to Visa’ reliance on the AOC’s
58
statement that Sally Beauty was in “compliance with the Data Security Standard.” But
that phrase is not actually a quotation from the AOC at all; Sally Beauty is quoting
Visa’s counterpetition. The quoted portion of Visa’s counterpetition appears to be
summarizing and implicitly referencing the AOC’s statement that Sally Beauty is “in
full compliance with the PCI DSS.”
49
� As a threshold matter, Visa’s fraud claim was not limited to the two statements
that Sally Beauty targets. Visa’s live counterpetition alleged the following:
29. Sally Beauty has continuously acknowledged its duty to comply with
PCI DSS. Indeed, on October 29, 2014 Sally Beauty submitted an
Attestation of Compliance (“AOC”) to Visa that affirmatively
represented that Sally Beauty was in compliance with the Data Security
Standard.
30. In the AOC, Sally Beauty affirmatively and expressly
represented that it ha[d] “read the PCI DSS” and acknowledge[d] its
responsibility to “maintain full PCI DSS compliance at all times.” Visa
relied upon this and other attestations of compliance that Sally Beauty provided to
permit Sally Beauty to continue participating in the Visa Network. If
Sally Beauty had disclosed that it was not in compliance, and did not
intend to comply, with the Data Security Standard, Sally Beauty would
not have been allowed to accept Visa-branded payment cards.[59]
....
48. In submitting the AOC to Visa, Sally Beauty made a false
representation or fraudulently concealed a material fact, with knowledge
of its falsity or without sufficient knowledge on the subject to warrant a
representation, and with the intent to induce Visa to rely upon it.
[Emphases added.] These pleadings, taken as true and viewed in Visa’s favor, see
Natividad, 875 S.W.2d at 699, alleged that Visa relied to its detriment upon the entirety
of the 2014 AOC. Thus, even if we were to hold that the two targeted statements
could not support a fraud claim, such a holding would not entirely negate the
actionable-representation element of fraud so as to support the trial court’s summary
judgment. Cf., e.g., Sci. Spectrum, Inc. v. Martinez, 941 S.W.2d 910, 911 (Tex. 1997)
59
A copy of the AOC was attached to Visa’s counterpetition.
50
�(“[S]ummary judgment for a defendant is proper only when the defendant negates at
least one element of each of the plaintiff’s theories of recovery, Gibbs v. General Motors
Corp., 450 S.W.2d 827, 828 (Tex. 1970), or pleads and conclusively establishes each
element of an affirmative defense.” (emphasis added)).
But because Visa implicitly concedes that its fraud counterclaim relies, at least
in part, on the targeted statements, and because Sally Beauty’s challenges to these two
statements could logically extend to other statements in the AOC as well, we address
Sally Beauty’s arguments that the statements were (1) made by the QSA; (2) at most,
statements of future intent; (3) expert opinions; and (4) legal conclusions.
(a) Representations by QSA
Sally Beauty first argues that Visa cannot premise its fraud counterclaim on the
AOC’s statement that Sally Beauty was “in full compliance with the PCI DSS”
because this “was not even a statement by Sally Beauty”—it was made by the QSA.
But these two options are not mutually exclusive. Sally Beauty could and did endorse
the QSA’s findings thereby implicitly representing the accuracy of the factual basis for
those findings.
The AOC is a three-page document, with page one dominated by basic
company information, and page three containing the 12-category checklist that
summarizes the QSA’s report. The second page is the source of the challenged
representation; it provides, in relevant part,
51
� Part 3. PCI DSS Validation
Based on the results noted in the [QSA’s report,] . . . [QSA]
asserts the following compliance status for the entity . . . :
Compliant: All requirements in the [report] are marked “in
place,” and a passing scan has been completed . . . thereby Sally Beauty
Holdings has demonstrated full compliance with the PCI DSS version 2.0.
....
Part 3a. Confirmation of Compliant Status
QSA/Merchant confirms:
.....
All information within the above-referenced [report] and in
this attestation fairly represents the results of the assessment in all
material respects.
The merchant has confirmed . . . that their payment
application does not store sensitive authentication data after
authorization.
The merchant has read the PCI DSS and recognizes that they
must maintain full PCI DSS compliance at all times.
Directly below the “confirm[ations]” in Part 3a, both Sally Beauty and the QSA signed
the document.
Although Sally Beauty is correct that the QSA completed portions of the
AOC,60 such as the “PCI DSS Validation” above and the 12-category checklist
60
Page one of the AOC provides that the document “must be completed by a
[QSA] or merchant (if merchant internal audit performs validation) as a declaration of
the merchant’s compliance status.” Sally Beauty argues that this instruction proves as
a matter of law that the QSA made the challenged representation in the AOC. But
52
�previously discussed, Visa’s counterpetition can be understood to allege that when
Sally Beauty “confirm[ed]” the QSA’s statements as “fai[r] represent[ations],” it
effectively endorsed the representations as an accurate description of the factual bases
behind them,61 e.g., Sally Beauty’s “maintenance of firewall protections,” which Visa
alleges were lacking. By signing and submitting the AOC then, Visa alleges that Sally
Beauty misrepresented its “full compliance with the PCI DSS.” This was a
representation by Sally Beauty itself; it was based on but distinct from the QSA’s
Sally Beauty acknowledges that this instruction does not apply to the entirety of the
AOC because Sally Beauty itself made the statements in Part 3a, excerpted above.
And, as we explain below, Sally Beauty’s statements in Part 3a effectively endorse the
factual basis for the QSA’s representations in the remainder of the AOC.
61
Even if Sally Beauty had not expressly endorsed the QSA’s representations,
the mere fact that a statement is uttered by a third party does not necessarily render it
incapable of supporting a fraud claim. See Parex Res., Inc. v. ERG Res., LLC, 427
S.W.3d 407, 439–40 (Tex. App.—Houston [14th Dist.] 2014) (“[A] defendant’s
liability for a fraudulent misrepresentation does not always require that the defendant
affirmatively make the misrepresentation.”), aff’d sub nom. Searcy v. Parex Res., Inc., 496
S.W.3d 58 (Tex. 2016). “[A] third party can be held liable for the misrepresentation of
another if the third party benefits from the fraudulent transaction and had knowledge
of the fraud.” Source 4 Value v. Hoelzer, No. 07-18-00338-CV, 2020 WL 4249744, at *3
(Tex. App.—Amarillo July 21, 2020, pet. denied) (mem. op.); see Corpus Christi Area
Tchrs Credit Union v. Hernandez, 814 S.W.2d 195, 202 (Tex. App.—San Antonio 1991,
no writ); O’Connor’s Texas Causes of Action ch. 12-A, § 2.1 (2021); cf. also Bransom v.
Standard Hardware, Inc., 874 S.W.2d 919, 924 (Tex. App.—Fort Worth 1994, writ
denied) (“A party in interest may become liable by mere silent acquiescence and
partaking of the benefits of the fraud.”).
53
�representations. Visa’s counterpetition thus states an actionable representation by
Sally Beauty.62
(b) Promise of Performance
Next, Sally Beauty targets its affirmation in the AOC that Sally Beauty has
“read the PCI DSS and recognizes that they must maintain full PCI DSS compliance
at all times.” Sally Beauty claims that this is not a promise to remain PCI DSS
compliant; it is “nothing more than a confirmation by Sally Beauty that it has ‘read’
and that it ‘acknowledges.’” And regardless, Sally Beauty argues, statements of future
intent cannot constitute actionable fraud. We disagree on both counts.
First, Sally Beauty’s acknowledgment could be reasonably understood as a
promise to perform. Although the acknowledgement does not use the word promise, it
communicates a comparable level of certainty by using the word must.
Must is an affirmation that something will happen. See Must, Webster’s Third
New International Dictionary 1492 (2002) (defining must as, among other things, “is
62
To the extent that Sally Beauty contends that it was required to expressly
reiterate each of the QSA’s findings to make them actionable representations, we
disagree. See Ten-Cate v. First Nat’l Bank, 52 S.W.2d 323, 326–27 (Tex. Civ. App.—
Fort Worth 1932, no writ) (holding that appellee fraudulently misrepresented terms of
advertising agreement and recognizing that “a representation need not be a direct lie
in order to constitute remedial fraud; the false representation may consist in a
deceptive answer, or any other indirect but misleading language” (quoting 25 C.J.S.
Fraud at 1066)); see Baribeau v. Gustafson, 107 S.W.3d 52, 59 (Tex. App.—San Antonio
2003, pet. denied) (“Fraud is deducible from artifice . . . as well as from affirmative
conduct of a character to deceive.”); O’Connor’s Texas Causes of Action ch. 12-A, § 2.3.4
(2021) (stating that “[d]eceptive conduct is equivalent to a false statement of fact”).
54
�compelled by physical necessity to . . . [;] is required by immediate or future need or
purpose to”). Implicit in this word is the recognition that there is no discretion to do
or endure otherwise. Cf., e.g., Helena Chem. Co. v. Wilkins, 47 S.W.3d 486, 493 (Tex.
2001) (interpreting must in statute and recognizing that “[w]hile Texas courts have not
interpreted ‘must’ as often as ‘shall,’ both terms are generally recognized as
mandatory, creating a duty or obligation”). In the context of the AOC, must conveys
that Sally Beauty will comply with the PCI DSS security protocols—as opposed to
merely aspiring to comply—because Sally Beauty has no discretion to do otherwise.
Sally Beauty’s “recogni[tion] that they must maintain full PCI DSS compliance at all
times” is a sufficiently definite commitment to support Visa’s fraud counterclaim.
[Emphasis added.]
And, contrary to Sally Beauty’s contentions, a statement of future intent can
support a fraud claim. Specifically, “[a] promise of future performance constitutes an
actionable misrepresentation if the promise was made with no intention of
performing at the time it was made.” Aquaplex, 297 S.W.3d at 774–75; Formosa
Plastics, 960 S.W.2d at 48. Visa’s counterpetition alleged that when Sally Beauty signed
the AOC “recogniz[ing] that [it] must maintain PCI DSS compliance at all times,”
Sally Beauty had no intention of complying with the PCI DSS protocols. This is
sufficient to state an actionable representation for purposes of fraud.
55
� (c) Expert Opinions
Sally Beauty next attacks both of the AOC statements discussed above by
alleging that “[w]hether or not Sally Beauty is PCI DSS compliant . . . is the province
of expert opinion, and an expert’s opinion is not a ‘material fact’ upon which fraud
can be based.”63
While it is true that an expression of pure opinion is not generally considered
an actionable representation, “[w]hether a statement is an actionable statement of
‘fact’ or merely one of ‘opinion’ often depends on the circumstances in which a
statement is made.” Italian Cowboy Partners, Ltd. v. Prudential Ins. Co. of Am., 341 S.W.3d
323, 337–39 (Tex. 2011) (holding that defendant’s statements that prior tenant
experienced “[n]o problems” and that the building was a “perfect restaurant site”
were actionable statements of fact); see O’Connor’s Texas Causes of Action ch. 12-A, § 2.3
(2021).
Here, Sally Beauty’s representations in the AOC can best be understood as
statements of fact. Even assuming arguendo that PCI DSS compliance is a matter of
expert QSA opinion, Sally Beauty’s representations were in addition to those of the
QSA and as an endorsement of the factual basis for the QSA’s conclusions.
63
Although Sally Beauty argued below that the challenged misrepresentations
required legal expertise, its brief implies that such representations required a QSA’s
expertise. Whatever the qualifications that Sally Beauty believes were required to
comment on its compliance status, our analysis regarding the factual nature of Sally
Beauty’s representations remains the same.
56
� First, as discussed above, both Sally Beauty and the QSA signed the AOC, and
Sally Beauty made its representations in addition to the QSA’s. And some of the
statements that Sally Beauty attested to in the AOC were factual statements regarding
its actions:
The merchant has confirmed . . . that their payment
application does not store sensitive authentication data after
authorization.
The merchant has read the PCI DSS and recognizes that they
must maintain full PCI DSS compliance at all times.
The AOC is clear on its face that Sally Beauty is not making its representations as a
QSA; it is making its representations in addition to those of the QSA and as the entity
with factual knowledge of its own actions, procedures, and security precautions—
upon which the QSA’s analysis is based. Although Sally Beauty claims that it lacked
the expertise to determine “whether or not any one of the over 200 PCI DSS
requirements and sub-requirements [was] ‘in place,’” the entity cannot deny that it
possessed the facts necessary to make this determination; it knew what security
precautions it had or had not taken.64
64
Indeed, Sally Beauty’s “one-sided knowledge of past facts” was a significant
reason why its representations in the AOC had value. See Italian Cowboy Partners, Ltd.,
341 S.W.3d at 339 (“Prudential’s one-sided knowledge of past facts makes these
particular representations actionable under the circumstances.”). Visa alleged that it
“did not have independent access to Sally Beauty’s network and relied on Sally
Beauty’s attestation affirming its compliance with data-security standards[,] . . . . [and]
Sally Beauty was aware that Visa would rely on Sally Beauty’s misrepresentation of its
compliance.” Visa further alleged that “Sally Beauty knew that it was not in
compliance with the Data Security Standard,” i.e., that Sally Beauty had one-sided
57
� Visa’s counterpetition alleged that Sally Beauty had “failed to take the steps it
knew were necessary to adequately safeguard its network and maintain [PCI DSS]
compliance,” such as “implement[ing] appropriate policies and procedures . . . [for]
the maintenance of firewall protections, appropriate user logins and passwords, and
monitoring of access to network resources and cardholder data.” Such allegations
identify concrete steps that Sally Beauty knew were necessary to comply with the PCI
DSS but that, according to Visa, Sally Beauty knew that it had failed to take. Sally
Beauty’s representations in the AOC can be properly understood as factual
representations regarding these and other merchant actions upon which the QSA’s
compliance report was based.
Therefore, even assuming Sally Beauty’s official compliance status was a matter
of expert QSA opinion, Visa’s pleadings state an actionable representation.
(d) Legal Conclusions
Sally Beauty also argues that, to the extent that it represented it was and would
remain fully PCI DSS compliant, “whether Sally Beauty has fulfilled its contractual
obligations under its Bank Card Management Agreement with Fifth Third as a result
of its PCI DSS compliance status is a legal opinion, not a ‘material fact’ upon which
fraud can be based.” See Fina Supply, Inc. v. Abilene Nat’l Bank, 726 S.W.2d 537, 540
(Tex. 1987) (“A representation as to the legal effect of a document is regarded as a
knowledge of past or then-current facts regarding its sub-par security practices and
protocols.
58
�statement of opinion rather than of fact and will not ordinarily support an action for
fraud.”); Taub v. Hous. Pipeline Co., 75 S.W.3d 606, 621 (Tex. App.—Texarkana 2002,
pet. denied) (“Generally, claims of fraud cannot arise from legal opinions.”).
But Visa’s fraud claim does not rely upon the Bank Card Management
Agreement; it relies on Sally Beauty’s AOC. Visa’s counterpetition referenced the
Bank Card Management Agreement as support for a separate counterclaim:
negligence. Specifically, Visa alleged that Sally Beauty had a duty to comply with the
PCI DSS protocols in part because it agreed to do so under the terms of its contract
with Fifth Third. But unlike negligence, common law fraud does not require the
plaintiff to establish a duty element. See, e.g., Haase v. Gim Res., Inc., No. 01-09-00696-
CV, 2010 WL 3294247, at *1 (Tex. App.—Houston [1st Dist.] Aug. 19, 2010, no pet.)
(mem. op. on reh’g) (affirming summary judgment dismissing negligence claim
because “[appellant] did not raise any evidence showing that [appellee] owes him a
legal duty,” but reversing summary judgment on fraud claim “because legal duty is not
an element of fraud and [appellee] did not present additional summary judgment
grounds”). But cf. Bradford v. Vento, 48 S.W.3d 749, 755 (Tex. 2001) (“As a general
rule, a failure to disclose information does not constitute fraud unless there is a duty
to disclose the information.”). To state a claim for fraud, Visa was required to
identify a fraudulent, material misrepresentation. And Visa did so by pointing to the
59
�AOC, with no mention of the Bank Card Member Agreement.65 Whether Sally
Beauty breached the terms of its agreement with Fifth Third is a separate matter.
Even if Visa’s fraud claim had referenced Sally Beauty’s compliance with the
agreement though, contractual compliance is not a question of law where, as here, the
parties dispute the relevant factual conduct. Cf. Lafarge Corp. v. Wolff, Inc., 977 S.W.2d
181, 186 (Tex. App.—Austin 1998, pet. denied) (recognizing that breach is a question
of law “[w]here the evidence is undisputed regarding a person’s conduct under a
contract”). As discussed previously, Visa and Sally Beauty hotly contest whether Sally
Beauty “t[ook] the steps it knew were necessary to adequately safeguard its network
and maintain compliance,” and Sally Beauty’s statements in the AOC could fairly be
understood as representations of the underlying facts. See supra Section
II.B.2.b.(1).(c); see also Fina Supply, 726 S.W.2d at 540 (“[M]isrepresentations involving
a point of law will be considered misrepresentations of fact if they were intended and
understood as such.”); Affordable Power, L.P. v. Buckeye Ventures, Inc., 347 S.W.3d 825,
831 (Tex. App.—Dallas 2011, no pet.) (holding representation regarding contract-
termination fee was intended and understood as a representation of fact).
65
The fraud-related portion of Visa’s live counterpetition alleged that “[i]n
submitting the AOC to Visa, Sally Beauty made a false representation or fraudulently
concealed a material fact[] with knowledge of its falsity or without sufficient
knowledge on the subject to warrant a representation[] and with the intent to induce
Visa to rely upon it” and that Visa had “acted in justifiable reliance on Sally Beauty’s
representations and was thereby damaged.”
60
� Sally Beauty’s claim that the two targeted representations are legal conclusions
is thus untenable.
(2) Intent to Induce Reliance
Next, Sally Beauty argues that it did not make either of the targeted statements
to Visa, so “logically and as a matter of law” it could not have intended for Visa to
rely on the statements. Although we again note that Visa’s counterpetition was not
limited to the two targeted statement, see supra Section II.B.2.b.(1), Sally Beauty’s
challenge logically extends to the 2014 AOC as a whole. Sally Beauty claims that it
did not submit its AOC directly to Visa, rather Sally Beauty submitted the document
to Fifth Third, which may or may not have submitted the document to Visa.
But Visa’s amended petition alleges that Sally Beauty “submit[ed] the AOC to
Visa” and that Sally Beauty knew and intended that Visa would rely upon its
representations in the AOC.66 Visa doubled down on this argument in its response to
Sally Beauty’s motion for summary judgment, reiterating that “Sally Beauty submitted
66
On appeal, Visa argues that Sally Beauty made the representation to Visa
“through its acquirer Fifth Third.” Even if we construe this as a concession, though,
it does not necessarily settle the issue; Visa still claims that Sally Beauty knew and
intended to make the representation to Visa. A plaintiff can pursue a fraud claim
based on an indirectly received representation if the plaintiff can show that the
defendant had reason to expect the plaintiff’s reliance on the statement, that is, if the
plaintiff can show that the defendant possessed information that would lead a
reasonable man to conclude that there was “an especial likelihood” that the
defendant’s representation would reach the specific plaintiff and influence its conduct.
Ernst & Young, L.L.P. v. Pac. Mut. Life Ins. Co., 51 S.W.3d 573, 581 (Tex. 2001)
(quoting Restatement (Second) of Torts § 531 cmt. d (1977)); see also O’Connor’s Texas
Causes of Action ch. 12-A, §§ 2.1.2, 2.5 (2021).
61
�[the 2014 AOC] to Visa.” Taking Visa’s counterpetition as true and construing it in
Visa’s favor, see Natividad, 875 S.W.2d at 699, Visa’s pleadings were sufficient to allege
the intent-to-induce-reliance element of fraud.
(3) Reliance
Sally Beauty further argues that “Visa admits it does not rely on statements in
the AOC” and that even if it did, “Visa was not justified in relying on the AOC as a
guarantee of future PCI DSS compliance.”
(a) Actual Reliance
To plead reliance, Visa was required to allege that it had actually relied upon
Sally Beauty’s misrepresentations to its detriment. See JPMorgan Chase Bank, 546
S.W.3d at 653 (“[T]he plaintiff must show that it actually relied on the defendant’s
representation[.]”). In its live counterpetition, Visa pleaded reliance on Sally Beauty’s
“affirmativ[e] and expres[s]” representation that Sally Beauty had “read the PCI DSS,”
as well as Sally Beauty’s commitment to “maintain full PCI DSS compliance at all
times.” Visa alleged that it had “relied upon this [i.e., the 2014 AOC] and other
attestations of compliance that Sally Beauty provided to permit Sally Beauty to
continue participating in the Visa Network.”67 Again, taking these pleadings as true
67
Additionally, in response to Sally Beauty’s motion for summary judgment, a
Visa representative averred that
[i]n the event that Visa becomes aware that a participating merchant has
fabricated validation documentation to Visa, including the submission of
an [AOC] . . . Visa has the discretion to take corrective action, and has
taken such corrective action[] such as imposing an assessment or
62
�and viewing them in a light most favorable to Visa, Visa’s counterpetition sufficiently
alleged actual reliance.
(b) Justifiable Reliance
Sally Beauty further claims that, even if Visa actually relied upon the
representations in its AOC, “[a]ny reliance [wa]s unjustified” because the AOC was
“only a statement of a merchant’s compliance as of the time the AOC [wa]s
completed, and thus, cannot be a guarantee of continuing compliance upon which
Visa could justifiably rely.”
First, Visa’s fraud counterclaim alleged that, when Sally Beauty signed and
submitted the AOC, it was fraudulently misrepresenting its compliance status at that
point in time: “Sally Beauty knew that it was not in compliance with the Data Security
Standard,” or “[a]t the very least, Sally Beauty was reckless in representing to Visa that
it was in compliance with the Data Security Standard.” Sally Beauty has not addressed
this aspect of the pleadings or identified any reason why Visa could not justifiably rely
on such a point-in-time representation.
And second, Sally Beauty’s argument ignores its express “recogni[tion]” in the
AOC “that they must maintain full PCI DSS compliance at all times.” As explained
above, this statement is a promise to perform in the future, not merely a
suspending a particular merchant’s ability to accept or process Visa
cardholder transactions.
63
�representation of Sally Beauty’s compliance at the time the AOC was completed. See
supra Section II.B.2.b.(1).(b).
Therefore, the justifiable-reliance element of Visa’s fraud claim does not fail as
a matter of law.68
(4) Cognizable Damages
Finally, Sally Beauty argues that Visa cannot satisfy the damages element of
fraud because it experienced “no existing cognizable harm” itself and cannot seek to
recover for damages to third parties.69 But these arguments are based on faulty
premises: (1) that Visa has suffered no harm itself, and (2) that Visa is using its fraud
claim to recover for damages to third parties or actions taken to protect third parties.
Furthermore, “[w]hether a party’s actual reliance is also justifiable is ordinarily
68
a fact question.” Mercedes-Benz USA, LLC v. Carduco, Inc., 583 S.W.3d 553, 558 (Tex.
2019).
Sally Beauty’s motion for summary judgment acknowledged that Visa sought
69
to recover “(1) costs Visa incurred as a result of its own actions, (2) harm suffered by
third-party ‘members of the Visa Network’, and (3) damage to the ‘integrity of the
payment card ecosystem.’” Sally Beauty argued below that none of these damages
were cognizable; the costs were “purely voluntary steps . . . . to prevent future harm”;
Visa lacked standing to recover for damages to third parties; and the damage to the
ecosystem was not “concrete and particularized,” “actual or imminent,” or fairly
traceable to the challenged action of the defendant rather than the independent action
of some third party.
But Sally Beauty’s argument on appeal is slightly different. Now, Sally Beauty
staunchly asserts that Visa itself has experienced no harm; Sally Beauty argues that
Visa seeks only to recover for damages to third parties or costs incurred to protect
those third parties and that, even if Visa had incurred costs to prevent future harm to
itself, it could not recover those costs without existing cognizable harm. Sally Beauty
presents this argument in a single, combined challenge to Visa’s standing and Visa’s
ability to state a claim for the damages element of fraud.
64
�We have already addressed and rejected these premises; Visa pleaded cognizable,
direct damages that it had incurred to protect and restore its services. See supra
Section II.B.1.
c. Conclusion
After examining all of the arguments that Sally Beauty advanced in support of
its motion for summary judgment on Visa’s fraud counterclaim, none of these
arguments are meritorious. See Dow Chem., 46 S.W.3d at 242. The question here is
not whether Visa can ultimately prove that Sally Beauty committed all of the elements
of fraud; the question is whether Visa’s pleadings—taken as true and viewed in its
favor—are legally sufficient to state a claim as a matter of law. See Natividad, 875
S.W.2d at 699. For the reasons discussed above, Visa stated a claim for fraud. We
sustain Visa’s second issue and reverse the trial court’s summary judgment on fraud.
Tex. R. App. P. 43.2(d).
C. Remand or Partial Rendition?
Although we reverse both Sally Beauty’s breach of contract judgment and the
judgment on Visa’s fraud counterclaim, the parties dispute whether we should remand
the case to the trial court or render partial judgment in Visa’s favor on the breach of
contract claim. See Tex. R. App. P. 43.2(c), (d). In fact, the parties even dispute the
standard of review.
65
� 1. Standard of Review
Generally, an order denying summary judgment is interlocutory and is not
subject to appellate review. See Lancer Ins. Co. v. Garcia Holiday Tours, 345 S.W.3d 50,
59 (Tex. 2011); Bowman v. Lumberton Indep. Sch. Dist., 801 S.W.2d 883, 889 (Tex. 1990)
(op. on reh’g). But there is an exception: when both parties move for summary
judgment and the trial court grants one motion and denies the other, “the reviewing
court considers the summary judgment evidence presented by both sides, determines
all questions presented, and if the reviewing court determines that the trial court erred,
renders the judgment the trial court should have rendered.” Fed. Deposit Ins. Corp. v.
Lenk, 361 S.W.3d 602, 611 (Tex. 2012) (quoting Valence Operating Co. v. Dorsett, 164
S.W.3d 656, 661 (Tex. 2005)). For this exception to apply though, both parties must
have either (1) moved for final summary judgment, see CU Lloyd’s of Tex. v. Feldman,
977 S.W.2d 568, 569 (Tex. 1998), or (2) moved for summary judgment on the same
issues. See Tri-Cnty. Elec. Coop., Inc. v. GTE Sw. Inc., 490 S.W.3d 530, 537 (Tex. App.—
Fort Worth 2016, no pet.); see also Fed. Deposit Ins.,361 S.W.3d at 611–12.
Sally Beauty disputes the existence of the second option; it argues that, because
Visa only sought partial summary judgment, we cannot review the denial of Visa’s
summary judgment motion or render judgment in Visa’s favor. But Visa accurately
observes that this court has held otherwise. See Tri-Cnty. Elec. Coop., 490 S.W.3d at
537.
66
� As we recognized in Tri-County—and as our sister courts have recognized as
well—when the issues raised in the appellant’s motion for partial summary judgment
overlap with the issues raised in the appellee’s motion for final summary judgment, we
may review the overlapping issues and render judgment for the appellant as to those
matters raised in common. See id. (“[B]ecause [appellant] Tri-County moved only for
a partial summary judgment, we may render only as to those matters that Tri-County
raised in common with [appellee] Verizon.”); see also Waller v. Waller, No. 12-19-00326-
CV, 2020 WL 5406246, at *5 (Tex. App.—Tyler Sept. 9, 2020, no pet.) (mem. op.)
(recognizing that “when the moving parties in both motions seek summary judgment
on the same issue, the court of appeals may review a cross-motion that does not
address all claims”); Houle v. Casillas, 594 S.W.3d 524, 542 (Tex. App.—El Paso 2019,
no pet.) (recognizing that denial of partial summary judgment may be reviewed if the
parties “have filed competing motions for summary judgment on the same issue”);
United Auto. Ins. Servs. v. Rhymes, No. 05-16-01125-CV, 2018 WL 2077561, at *2 n.4
(Tex. App.—Dallas May 4, 2018, no pet.) (mem. op.) (recognizing that “the appellate
court can address the [denial of a] motion for partial summary judgment if it addresses
the same issues as the opposing party’s [final] summary judgment motion”); Gastar
Expl. Ltd. v. U.S. Specialty Ins. Co., 412 S.W.3d 577, 582 (Tex. App.—Houston [14th
Dist.] 2013, pet. denied) (recognizing that denial of partial summary judgment may be
reviewed on appeal when “both parties . . . sought final judgment relief in their cross-
67
�motions for summary judgment or moved for summary judgment on the same
issue”). We decline Sally Beauty’s invitation to overrule this precedent.70
2. Breach of Contract
Even with the standard of review settled, the parties dispute its application to
the breach of contract claim. Both parties sought summary judgment on the breach
element of this claim, but because Sally Beauty alleged four alternative theories of
breach, the parties’ motions differed in scope: Visa’s summary judgment motion
Sally Beauty contends that our holding in Tri-Cnty. Elec. Coop conflicts with
70
Texas Supreme Court precedent—specifically, Feldman. See Feldman, 977 S.W.2d at
568–69. We disagree.
In Feldman, CU Lloyd’s moved for final summary judgment on Feldman’s
breach of contract claims, arguing that no duty to defend existed. Id. at 568–69.
Feldman filed a competing motion for partial summary judgment on the same issue—
the existence of a duty to defend—as well as a second issue: breach. Id. at 569. The
trial court granted CU Lloyd’s motion, and the court of appeals reversed and rendered
judgment for Feldman as to liability. Id. The Texas Supreme Court held that the
court of appeals could not render judgment for Feldman because Feldman did not
demonstrate damages. Id. The Texas Supreme Court did not explain the precise
rationale for its holding—e.g., whether the court of appeals erred by considering the
denial of Feldman’s partial summary judgment motion (as Sally Beauty argues), erred
by “dispos[ing] of issues not addressed or disposed of in the trial court,” see Evergreen
Nat’l Indem. Co. v. Tan It All, Inc., 111 S.W.3d 669, 679 (Tex. App.—Austin 2003, no
pet.) (distinguishing Feldman), or erred by rendering judgment on breach of contract
liability alone. See Intercont’l Grp. P’ship v. KB Home Lone Star L.P., 295 S.W.3d 650, 660
(Tex. 2009) (“Feldman was a summary-judgment case . . . but the common thread is
plain: Absent tangible relief, either monetary or equitable, a judgment on liability
alone is improper.”). Although Sally Beauty urges us to adopt its interpretation of
Feldman—thereby overruling our own case law and contradicting the case law of our
sister courts—Sally Beauty does not explain why its interpretation is allegedly
necessary.
68
�challenged all four of Sally Beauty’s alternative theories of breach,71 while Sally Beauty
sought—and secured—summary judgment only on the theory that the GCAR
program’s liquidated damages provision was an unenforceable penalty.72 Sally Beauty
thus claims that this court cannot address its alternative theories of breach because
such theories were not raised in common; the sole issue raised in common was the
liquidated damages penalty issue. Visa, meanwhile, argues that the overarching
question of breach was raised in common and presented for the trial court’s
evaluation. We agree with Sally Beauty.
Sally Beauty’s motion for summary judgment did not address its alternative
theories of breach; it addressed only the liquidated damages penalty theory. And
because the trial court resolved the penalty issue in Sally Beauty’s favor, it was not
required to reach the merits of Visa’s challenges to Sally Beauty’s alternative theories
of breach. The issues were thus not raised in common. See Waller, 2020 WL 5406246,
at *5 (declining to review denial of partial summary judgment because appellee
71
The breach of contract portion of Sally Beauty’s live petition stated four
different breaches; it alleged (1) that for at least three different, independently
sufficient reasons, “[t]he GCAR Liability Assessment was not authorized by the Visa
[Core] Rules”—i.e., Visa failed to follow the Visa Core Rules in its calculation and
imposition of the GCAR assessment; and (2) “[t]he GCAR Liability Assessment, even
if it was authorized by the Visa [Core] Rules . . . , is unenforceable under applicable
law because it constitutes a contractual penalty.”
72
For unexplained reasons, Visa agreed that, if the liquidated damages provision
was an unenforceable penalty, Sally Beauty was entitled to judgment on the entirety of
the breach of contract claim. See supra note 22.
69
�secured summary judgment on affirmative defense of res judicata and trial court did
not reach appellant’s request for judgment on the merits of the claim); Star Elec., Inc. v.
Northpark Office Tower, LP, No. 01-17-00364-CV, 2020 WL 3969588, at *24 (Tex.
App.—Houston [1st Dist.] July 14, 2020, no pet.) (mem. op. on reh’g) (declining to
review denial of partial summary judgment because appellee secured summary
judgment on affirmative defense of statute of repose and trial court did not reach
appellant’s request for judgment on the merits of the claim); Fairfield Indus., Inc. v. EP
Energy E&P Co., L.P., 531 S.W.3d 234, 251 (Tex. App.—Houston [14th Dist.] 2017,
pet. denied) (declining to review denial of partial summary judgment because appellee
secured judgment on different bases than those raised in appellants’ motion); Coreslab
Structures (Tex.), Inc. v. Scottsdale Ins. Co., 496 S.W.3d 884, 891 (Tex. App.—Houston
[14th Dist.] 2016, no pet.) (similar). We therefore remand these issues for the trial
court’s consideration. See Tex. R. App. P. 43.2(d); cf. Sosa v. Williams, 936 S.W.2d 708,
711 n.1 (Tex. App.—Waco 1996, writ denied) (“Because in this case [appellant’s]
motion for summary judgment and [appellees’] motions for summary judgment are
premised differently, we remand for trial.”).
3. Fraud
The disposition of Visa’s fraud counterclaim is much simpler. Sally Beauty was
the only party seeking summary judgment on Visa’s fraud counterclaim; thus, Visa
acknowledges that the fraud counterclaim must be remanded to the trial court for
70
�further proceedings. We agree and remand the claim accordingly. See Tex. R. App. P.
43.2(d).
III. Conclusion
Because the GCAR program is an enforceable liquidated damages provision,
we reverse the trial court’s summary judgment on Sally Beauty’s breach of contract
claim. And because Visa’s live counterpetition pleaded a cognizable claim for fraud
along with facts to support its standing, we reverse the trial court’s summary judgment
on Visa’s fraud counterclaim. We remand this case to the trial court for further
proceedings consistent with this opinion. See Tex. R. App. P. 43.2(d).
/s/ Bonnie Sudderth
Bonnie Sudderth
Chief Justice
Delivered: December 9, 2021
71
�