Sovereign Bank v. BJ's Wholesale Club, Inc.

533 F.3d 162, 51 A.L.R. 6th 657, 2008 U.S. App. LEXIS 15098, 2008 WL 2745939

• Court: Court of Appeals for the Third Circuit
• Decided: July 16, 2008
• Docket: 06-3392, 06-3405
• Status: Published

Opinion

OPINION

McKEE, Circuit Judge.

In these consolidated appeals, Sovereign Bank and the Pennsylvania State Employees Credit Union appeal orders dismissing claims that arose from the theft of certain credit card information from a retailer’s computer files. For the reasons that follow, we will reverse in part, and affirm those orders in part.

I. BACKGROUND

These consolidated appeals involve two law suits that arose from the theft of credit card information from the computer files of a prominent retailer. Visa U.S.A., Inc., is a corporation, comprised of an association of financial institutions, which operates a credit card payment system known as “Visa.” Sovereign Bank and the Pennsylvania State Employees Credit Union (“PSECU”) are both members of the Visa network. Sovereign and PSECU have a Membership Agreement with Visa that allows them to issue Visa cards to their respective customers and members. Within the Visa network, Sovereign and PSE-CU are referred to as “Issuers,” which means that they issue Visa cards to cardholders pursuant to the contracts they enter into with them.

Fifth Third Bank is also a member of the Visa network, and it also has a Membership Agreement with Visa. Within the network, Fifth Third is referred to as an “Acquirer,” which means that Fifth Third enters into contractual relationships with businesses that agree to accept Visa cards as payment for their goods and services (“Merchants”). Acquirers process those transactions on behalf of the Merchants. BJ’s Wholesale Club, Inc., is a Merchant. Accordingly, Fifth Third and BJ’s have entered into a Merchant Agreement. Although Merchants participate in the Visa network, they are not members. Only financial institutions are eligible for membership. Therefore, Merchants have no contractual relationship directly with Visa.

Every time a cardholder uses a Visa card to pay a Merchant for goods or services, the Issuer, Acquirer and Merchant must interact to process and complete the transaction. The Merchant’s computer scanners first “read” the “Cardholder Information” contained in the magnetic stripe on the back of Visa cards as they are swiped through the familiar terminal at the checkout. The Merchant then sends the pertinent account information through the Visa network to the Issuer. The Issuer reviews the Cardholder Information and, assuming the card is valid with sufficient available credit, the Issuer authorizes the transaction, and so notifies the Merchant. Upon receiving that notifi cation, the Merchant completes the transaction with the cardholder, and then forwards the receipt to the Acquirer who pays the Merchant pursuant to their agreement. The Acquirer then notifies the Issuer that payment has been received, and the Issuer pays the Acquirer and charges the cardholder.

Visa has created an extensive set of “Operating Regulations” to both govern and facilitate transactions involving Visa cards. 1 Those Regulations address virtually every aspect of the Visa payment system, and impose both general and specific requirements on participants in the network.

The disputes in these appeals center on certain security regulations including the Cardholder Information Security Program (“CISP”). The CISP provisions apply to Issuers and Acquirers and include broad security requirements intended to protect Cardholder Information. Those requirements include a prohibition against retaining or storing the data encoded in the familiar magnetic stripe on the back of credit cards, i.e., Cardholder Information, after a consumer transaction is completed.

One provision of the Operating Regulations, entitled “Enforcement,” defines procedures by which Visa can enforce compliance with the Operating Regulations. That provision expressly allows Visa to take specified remedial actions against Members who do not comply with the Operating Regulations, including levying fines and penalties. Enforcement actions can be appealed to Visa’s Board of Directors, but the Board’s decision is final. The Operating Regulations give Visa, and only Visa, the right to interpret and enforce the Operating Regulations, and only Visa can determine whether a violation of the Operating Regulations has occurred.

The Operating Regulations also impose extensive security requirements on Issuers and Acquirers. Section 2.3 of the Operating Regulations requires Issuers and Acquirers to ensure that their agents, service providers and Merchants comply with the Operating Regulations.

The Visa Operating Regulations also include comprehensive provisions for resolving disputes between Visa members. These provisions allow members to challenge disputed charges through “charge-back” and representment procedures, 2 in accordance with risk allocation judgments made by Visa. Disputes about the use of these procedures are resolved by arbitration.

Finally, the Operating Regulations also include “Compliance” provisions that apply when a Member’s violation of a Regulation causes a financial loss to another Member who cannot be made whole by resorting to chargeback or representment. For example, a loss resulting from fraudulent charges using stolen data is allocated to the Issuer. However, the Issuer may use the Compliance proceedings to shift that loss to the Acquirer if it resulted from the Acquirer’s violation of an Operating Regulation. The Compliance provisions do not eliminate any rights a Member may have to pursue any legal remedies that may otherwise be available.

Pursuant to their Membership Agreements with Visa, all Members of the Visa network including Insurers and Acquirers, agree to be bound by the Operating Regulations. In addition, before an Acquirer can enter into a Merchant Agreement with a Merchant, the Acquirer must first determine that the Merchant will abide by the Operating Regulations. Given the importance attached to uniform compliance, an Acquirer’s initial determination is deemed insufficient. Rather, an Acquirer must agree to ensure continued compliance with the Operating Regulations. Finally, the Acquirer must have a Merchant Agreement with each of its Merchants. The Merchant Agreements may generally contain whatever extraneous provisions the Acquirer and Merchant agree upon, but, the Agreement must, at a minimum, contain the provisions of Section 5.2 of the Operating Regulations. These disputes involve § 5.2.h.3.b. That subdivision prohibits a Merchant from retaining or storing Cardholder Information after an Issuer authorizes a transaction. Like all Visa Members, Fifth Third’s predecessor agreed to be bound by the Visa Operating Regulations and By-Laws, which are incorporated by reference into the Membership Agreement.

The seeds that sprouted this litigation were sewn in February 2004, when Visa identified a potential compromise of electronically stored Cardholder Information pertaining to certain Visa cards issued by Sovereign, PSECU and other financial institutions. Electronic data on some credit cards had been copied and used to fraudulently obtain goods and services after cardholders had used the cards at various BJ’s stores. Visa responded by issuing a “CAMS alert” to potentially affected Issuers. Such CAMS alerts notify Visa members that Cardholder Information may have been compromised. The CAMS alert here notified the Issuers that Visa cards which had been properly presented for payment at BJ’s stores from July 2003 through February 2004 had been compromised and could be used to make fraudulent purchases.

Sovereign responded to the February 2004 alert by cancelling some Visa cards and issuing new Visa cards to the affected cardholders. 3 Sovereign claims that the fraud was only possible because BJ’s improperly retained and stored the Cardholder Information from its customers’ cards instead of deleting the data immediately after a sales transaction was completed, as required by Visa Operating Regulation § 5.2.h.3.b. In Sovereign’s view, BJ’s failure to comply with the requirements of § 5.2.h.3.b. breached a duty owed to Sovereign. Sovereign further contends that Fifth Third failed to comply with the Operating Regulations by failing to ensure that BJ’s complied with § 5.2.h.3.b.

According to Sovereign, BJ’s failure to delete the Cardholder Information magnetically stored in Visa cards, and Fifth Third’s failure to ensure that BJ’s complied with § 5.3.h.3.b, allowed the unauthorized and fraudulent use of Cardholder Information. Sovereign maintains that it was legally obligated to reimburse its cardholders for the resulting fraudulent charges, and that it incurred expenses, and lost income and fees from doing so. This purportedly included the costs of issuing replacement cards to Cardholders (in an effort to mitigate further losses), and loss of goodwill of its customer base.

After it discovered the breach of security of Cardholder Information that had been retained in BJ’s system, PSECU also canceled approximately 20,000 Visa cards that it had issued to its members who had used the cards at BJ’s. It then reissued Visa cards with new account numbers and new Cardholder Information at a cost of approximately $98,000.

II. Sovereign Bank v. BJ’s Wholesale Club and Fifth Third Bank (No.

06-3392)

On January 10, 2005, Sovereign sued Fifth Third and BJ’s in state court asserting a claim for negligence, breach of contract, and equitable indemnification against each defendant. The suit was brought to recover the losses that resulted from the fraudulent use of Cardholders’ Information, lost fees and commissions, the value of the unauthorized purchases and sales, and the cost of replacing Visa cards.

BJ’s and Fifth Third removed the action to the United States District Court for the Eastern District of Pennsylvania. 4 Venue was subsequently transferred to the United States District Court for the Middle District of Pennsylvania to allow consolidation with Pennsylvania State Employees Credit Union v. Fifth Third Bank and BJ’s Wholesale Club, Inc. That action had been brought by the PSECU to recover the costs it incurred in replacing its members’ Visa cards that had been compromised by the fraud.

Following the transfer, BJ’s and Fifth Third separately moved to dismiss the claims against them pursuant to Fed. R.Civ.P. 12(b)(6). The district court denied BJ’s motion on the negligence claim, but granted it on the breach of contract and equitable indemnification claims. The court granted Fifth Third’s motion on the negligence and equitable indemnification claims, but denied it on the breach of contract claim. Sovereign Bank v. BJ’s Wholesale Club, Inc., 395 F.Supp.2d 183 (M.D.Pa.2005).

Fifth Third moved for reconsideration on the sole remaining claim for breach of contract. Sovereign’s breach of contract claim is based on a third-party or intended beneficiary theory and depends, in part, upon whether Fifth Third and Visa intended to give Sovereign enforceable rights under their separate contract even though Sovereign is not a party to it. Ultimately, the district court converted Fifth Third’s motion for reconsideration into a motion for summary judgment and ordered the parties to conduct discovery on the third-party beneficiary issues, i.e., whether Fifth Third’s contractual obligation to Visa to comply with the Visa Operating Regulations was intended to benefit Issuers like Sovereign.

In the meantime, Sovereign filed an amended complaint asserting claims against BJ’s for negligence, breach of fiduciary duty and promissory estoppel. The amended complaint restated the breach of contract claim against Fifth Third and added a claim for promissory estoppel. Fifth Third and BJ’s again moved to dismiss the claims under Rule 12(b)(6), and the district court dismissed all claims against BJ’s and dismissed all claims against Fifth Third except the breach of contract claim. Sovereign Bank v. BJ’s Wholesale Club, Inc., 427 F.Supp.2d 526 (M.D.Pa.2006).

In accordance with the district court’s order directing limited discovery on the third-party beneficiary issues, the parties exchanged paper discovery and took the deposition of Visa’s designated representative, Alex Miller. After discovery was completed, the district court granted summary judgment in favor of Fifth Third on the third-party beneficiary claim, holding that Sovereign was not an intended beneficiary of the Visa-Fifth Third Member Agreement. Sovereign Bank v. BJ’s Wholesale Club, Inc., 2006 WL 1722898 (M.D.Pa. June 16, 2006).

This appeal followed. With respect to Fifth Third, Sovereign appeals only the district court’s Rule 12(b)(6) dismissal of its equitable indemnification claim and the district court’s grant of summary judgment in favor of Fifth Third on its breach of contract claim. With respect to BJ’s, Sovereign appeals only the district court’s Rule 12(b)(6)’s dismissal of its negligence and equitable indemnification claims.

We discuss each of Sovereign’s arguments in turn.

A. Sovereign’s Breach of Contract Claim Against Fifth Third.

As noted, Sovereign’s contract claim is based on the theory that it is a third-party beneficiary of Fifth Third’s Member Agreement with Visa. As also noted, that agreement required Fifth Third to ensure that BJ’s complied with the Visa Operating Regulations, and § 5.2.h.3.b. of that agreement prohibits Merchants from retaining Cardholder Information. Sovereign contends that Fifth Third breached that contract by not ensuring BJ’s compliance.

Historically, under Pennsylvania law, “in order for a third party beneficiary to have standing to recover on a contract, both contracting parties must have expressed an intention that the third-party be a beneficiary, and that intention must have affirmatively appeared in the contract itself.” Scarpitti v. Weborg, 530 Pa. 366, 609 A.2d 147, 149 (1992) (citation omitted). Sovereign appropriately concedes that it is not an express third-party beneficiary of the Visa-Fifth Third Member Agreement. However, in Scarpitti, the Pennsylvania Supreme Court adopted § 302 of the Restatement (Second) of Contracts. Id. That provision allows an “intended beneficiary” to recover for breach of contract even though the actual parties to the contract did not express an intent to benefit the third party. Section 302 provides as follows:

Intended and Incidental Beneficiaries

(1) Unless otherwise agreed between promisor and promisee, a beneficiary of a promise is an intended beneficiary if recognition of a right to performance in the beneficiary is appropriate to effectuate the intentions of the parties and either

(a) the performance of the promise will satisfy an obligation of the promisee to pay money to the beneficiary; or

(b) the circumstances indicate that the promisee intends to give the beneficiary the benefit of the promised performance.

(2) An incidental beneficiary is a beneficiary who is not an intended beneficiary.

Under § 302, Sovereign’s contract claim depends on whether the “recognition of a right to performance” in Sovereign “is appropriate to effectuate the intentions of’ both Visa and Fifth Third in entering into their member agreement and whether “the circumstances indicate that” Visa (the promisee) “intend[ed]” to give Sovereign “the benefit of the promised performance.”

As noted earlier, the district court converted Fifth Third’s Rule 12(b)(6) motion to dismiss to a motion for summary judgment and ordered limited discovery. The ensuing discovery included production of numerous documents as well as the deposition of Visa’s designated representative, Alex Miller. Fifth Third relies in part on Miller’s testimony that he was not aware that Visa intended to create a direct right of enforcement under the Operating Regulations among Members and he has never seen a document that would allow a Member “to step into Visa’s shoes under its contract with other members” and enforce the Operating Regulations. Miller testified in part as follows:

[T]he core purpose of the Operating Regulations is to set up the conditions for participation in the system, to set up the rules and standards that apply to that ultimately for the benefit of the Visa payment system, the members that participate in it and other stakeholders such as cardholders, merchants, and others who may participate in the system as well.

Fifth Third further contends that Miller also made it clear that the Operating Regulations’ prohibition against retaining Cardholder Information, which Fifth Third claims was enacted long after it entered into its agreement with Visa, was not to benefit any individual member or class of members. Rather, according to Miller:

[t]he purpose of the CISP program ... is to maximize the value to the Visa system as a whole. That can include the protection of any entity that may be involved in the use or — or handling of cardholder data, so it’s to protect a cardholder, the privacy of their information, to protect their confidence in using the Visa system, to protect issuers, to protect acquirers, to protect merchants; and by creating a system that protects cardholder data, generally it’s to maximize the usage and value of the Visa payment system for all of those participants.

Miller was asked whether, even though there may have been multiple purposes for requiring the Acquirer to ensure Merchant compliance with the regulations, at least one such reason was to protect Issuers. Miller responded as follows:

The part of your question I’m struggling with is to say whether that was the purpose or not. I think I summarized what the purpose was.

One of the entities that is impacted by the Cardholder Information Program is issuers, as well as acquirers, merchants and cardholders. So my understanding was the purpose was not directed at any one of those entities but to maximize the value of the system in protecting cardholder information for all of the participants.

Finally, Fifth Third notes that in responding to a question about whether Visa intended to give Issuers the benefit of the Acquirer’s compliance with the CISP, Miller testified:

Visa designed the CISP program to benefit the Visa system as a whole, to drive confidence in the integrity of the Visa system, to drive greater, greater efficiency, to drive cardholder security, and to do that from requirements that apply to all Visa members that designed ultimately to yield a more efficient system on behalf of all those participants.

In sum, Fifth Third contends that Miller’s deposition testimony clearly shows that the intent of the Operating Regulations, and more particularly the prohibition on Merchant retention of Cardholder Information, is to benefit the Visa system as a whole and not Sovereign or any particular Issuer in particular. Accordingly, Fifth Third argues that it is entitled to summary judgment on Sovereign’s breach of contract claim.

Sovereign responds that there is a genuine issue of material fact as to Visa’s intent which precludes summary judgment. Sovereign notes that in August 1993, Visa wrote a memorandum entitled “Retention of Magnetic-Stripe Data Prohibited.” 5 The memorandum described a new section of the Operating Regulations prohibiting the storage of magnetic-stripe data, ie., Cardholder Information. It read in part as follows:

To protect the Visa system and Issuers from potential fraud exposure created by databases of magnetic-stripe information, Section 6.21 has been revised. Effective September 1, 1993, the retention or storage of magnetic stripe data subsequent to the authorization of a transaction is prohibited. Acquirers are obligated to ensure that their merchants do not store the magnetic-stripe information from Visa Cards for any subsequent use.

Sovereign contends that this August 1993 memorandum shows that Visa understood and clearly intended that Issuers such as Sovereign (and PSECU) would obtain direct benefits from the requiring members to ensure that magnetic-stripe data was not retained.

Sovereign further contends that other evidence obtained from Visa shows that Visa expressly understood and intended that the prohibition would provide direct benefits to Issuers and that the type of harm suffered by Sovereign was specifically intended to be avoided by compliance with the prohibition. Visa published an on-line article entitled “Issuers and Acquirers Are At Risk When Magnetic-Stripe Data Is Stored,” in May 2003. The article stated that the CISP “was established to preclude a compromise that could lead to the duplication of valid magnetic-stripe data on counterfeit or altered cards,” because such a data compromise “impacts Issuers, Acquirers, cardholder goodwill and the integrity of the payment system.” Sovereign submits that this article is additional evidence that the prohibition against retaining Cardholder Information contained in the magnetic strip was intended to directly benefit Issuers.

Finally, Sovereign relies on the following exchange during Miller’s deposition:

Q: [by Fifth Third’s counsel] Is it fair to say that the operating regulations are not intended to benefit a single group of participants, but the Visa payment system as a whole?

Objection. Leading.

A: [by Miller] It’s fair to say that the core purpose of the operating regulations is to set up the conditions for participation in the system, to set up rules and standards that apply to that ultimately for the benefit of the Visa payment system, the members that participate in it and other stakeholders such as cardholders, merchants and others who may participate in the system as well, (emphasis added).

Q: They may have some incidental benefit; is that correct?

Objection

Leading, and calls for a legal conclusion. A: The bylaws and operating regulations, by their terms, apply only to members. So to the extent you mean they might have benefits beyond the rules that apply to other stakeholders, that’s correct. They’re not directly parties to these rules, (emphasis added)

Sovereign argues that, despite the best efforts of Fifth Third’s counsel, the italicized portions of Miller’s testimony demonstrate that Visa understood that Issuers are more than incidental beneficiaries of the Member Agreements. Rather, it shows that Visa expressly understood that other classes of participants, such as Issuers, were intended and foreseeable beneficiaries of a Member Agreement, even though they are not parties to a particular agreement.

Sovereign also argues that in granting summary judgment to Fifth Third, the district court did not apply well-settled summary judgment standards. Rather, according to Sovereign, the district court acted like a fact-finder by weighing conflicting or ambiguous evidence and making credibility determinations. The district court explained:

In the face of this evidence of Visa’s intent [i.e., Miller’s deposition testimony], we do not believe that the single August 1993 reference to benefiting issuers nor the ambiguous “core purpose” statement is sufficient evidence to lead a reasonable jury to find for [Sovereign] on the contract claim.

2006 WL 1722398 at *12 (emphasis added). It further commented:

It cannot be disputed that Sovereign benefits from the prohibition on the retention of magnetic-stripe data. It is probably also true that as an issuer it has the greatest need for such a prohibition, and benefits the most from it, since its cardholders’ information is at risk if a merchant or other entity retains such data so that it is subject to theft. But one essential part of the test for third-party-beneficiary status is that the promisee, here Visa, must have intended to benefit the third party. There is sufficient evidence on summary judgment to state that Visa had no such intent. In sum, as Fifth Third argues, Sovereign is at most an incidental beneficiary of the member agreement between Visa and Fifth Third, and an incidental beneficiary has no right to enforce a contract, no matter how great a stake it might have in doing so.

Id. (emphasis added).

We disagree with Sovereign’s claim that the district court did not apply well-settled summary judgment standards. In Saldana v. Kmart Corp., 260 F.3d 228 (3d Cir.2001), we discussed the familiar principles governing summary judgment:

When reviewing an order granting summary judgment, we exercise plenary review and apply the same test a district court applies. Under Federal Rule of Civil Procedure 56(c), that test is whether there is a genuine issue of material fact and, if not, whether the moving party is entitled to judgment as a matter of law. In so deciding, a court must view the facts in the light most favorable to the nonmoving party and draw all inferences in the party’s favor. A court should find for the moving party if the pleadings, depositions, answers to interrogatories, and admissions on file, together with the affidavits, if any, show that there is no genuine issue as to any material fact and that the moving party is entitled to judgment as a matter of law. The party opposing summary judgment may not rest upon the mere allegations or denials of the pleading; its response, by affidavits or as otherwise provided in this title, must set forth specific facts showing that there is a genuine issue for trial. There is no issue for trial unless there is sufficient evidence favoring the nonmoving party for a jury to return a verdict for that party. Such affirmative evidence — re gardless of whether it is direct or circumstantial — must amount to more than a scintilla, but may amount to less (in the evaluation of the court) than a preponderance.

Id. at 231-32 (citations omitted) (emphasis added). In a later case, In re CitX Corp., 448 F.3d 672, 677 (3d Cir.2006), we commented that “to survive summary judgment on his claim ... [a nonmovant] must present sufficient evidence to allow a reasonable jury to find in his favor.”

Moreover, in one of the leading, and oft-cited, summary judgment standard cases, Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986), the Supreme Court noted that “[b]y its very terms,” Rule 56(c) “provides that the mere existence of some alleged factual dispute between the parties will not defeat an otherwise properly supported motion for summary judgment; the requirement is that there be no genuine issue of material fact.” Id. at 247-248, 106 S.Ct. 2505 (emphasis in original). The Court went on to explain:

As to materiality, the substantive law will identify which facts are material. Only disputes over facts that might affect the outcome of the suit under governing law will properly preclude the entry of summary judgment. Factual disputes that are irrelevant or unnecessary will not be counted.

More important for present purposes, summary judgment will not lie if the dispute about a material fact is “genuine,” that is, if the evidence is such that a reasonable jury could return a verdict for the nonmoving party.

Id. at 248, 106 S.Ct. 2505.

Therefore, the district court did not err in referring to a “reasonable jury” or “substantial evidence” in its summary judgment analysis. However, even though we do not agree with Sovereign’s contention that the district court misstated the rule for granting summary judgment, we agree that the court misapplied those principles and erroneously granted summary judgment.

In order to be an intended beneficiary of the Visa-Fifth Third Member Agreement, Sovereign has the burden of producing, inter alia, sufficient evidence that Visa intended to give it the benefit of the Fifth Third’s promise to Visa to ensure that BJ’s complied with the provision of the Member Agreement prohibiting Merchants from retaining Cardholder Information. We believe that Sovereign met that burden.

We do not, however, regard the May 2003 on-line article entitled “Issuers and Acquirers Are At Risk When Magnetic-Stripe Is Stored” as indicative of an intent to benefit a particular Issuer such as Sovereign or PSECU. That article simply states the reason for the prohibition against retention of Cardholder Information, viz., a data compromise that could result from storage of magnetic-stripe data “impacts Issuers, Acquirers, cardholder goodwill, and the integrity of the system.” However, we do believe that Visa’s August 1993 memorandum, entitled “Retention of Magnetic-Stripe Date Prohibited,” and Miller’s “core purpose” deposition testimony raise a genuine issue of material fact regarding the intent of the Visa and Fifth Third Member Agreement. That was sufficient to preclude the grant of summary judgment on Sovereign’s breach of contract claim.

In his deposition, Miller testified that the core purpose of the Operating Regulations was to benefit the Visa system and “the members that participate in it.” Admittedly, any indication of an intent by Visa to specifically benefit Issuers is arguably undermined by Miller’s references to “other shareholders such as cardholders, merchants and others who may participate in the system as well.” Nonetheless, his testimony clearly suggests an intent by Visa to benefit Issuers. An argument to the contrary is tantamount to claiming that since Visa intended to benefit 35 everyone who was part of the Visa system, it did not specifically intend to benefit anyone. However, the fact that it intended to benefit several Members or classes of Members does not negate the possibility that it intended to benefit individual Issuers such as Sovereign.

Moreover, as recited earlier, the August 1993 memorandum provides, in relevant part: “To protect the Visa system and Issuers from potential fraud exposure created by databases of magnetic-stripe information .... Acquirers are obligated to ensure that their merchants do not store the magnetic-stripe information from Visa Cards for any subsequent use.” (emphasis added). Thus, the memorandum clearly states that Acquirers must act to protect Issuers by ensuring that their Merchants do not retain Cardholder Information. Accordingly, the August 1993 memorandum is sufficient evidence by itself to create a genuine issue about whether Visa intended to give Sovereign the benefit of Fifth Third’s promise to Visa to ensure BJ’s compliance with the provisions of the Visa-Fifth Third Member Agreement. Therefore, we will reverse the district court’s grant of summary judgment to Fifth Third on the breach of contract claim and remand for further proceedings on that claim. 6

B. Sovereign’s Equitable Indemnification Claims Against Fifth Third and BJ’s.

As noted, BJ’s and Fifth Third separately moved to dismiss these equitable indemnification claims pursuant to Rule 12(b)(6), and the district court granted both motions. 395 F.Supp.2d 183 (M.D.Pa.2005). Sovereign contends that was error. 7

Indemnification is “a fault shifting mechanism.” Sirianni v. Nugent Bros., Inc., 509 Pa. 564, 506 A.2d 868, 871, (1986).

The right of indemnity rests upon a difference between the primary and the secondary liability of two persons each of which is made responsible by the law to an injured party. It is a right which enures to a person who, without active fault on his own part, has been compelled, by reason of some legal obligation, to pay damages occasioned by the negligence of another, and for which he himself is only secondarily liable. The difference between primary liability and secondary liability ... depends on a difference in the character or kind of the wrongs which cause the injury and in the nature of the legal obligation owed by each of the wrongdoers to the injured person.... [Secondary as distinguished from primary liability rests upon a fault that is imputed or constructive only, being based on some legal relation between the parties, or arising from some positive rule of common or statutory law or because of a failure to discover or correct a defect or remedy a dangerous condition caused by the act of the one primarily responsible.

Builders Supply Co. v. McCabe, 366 Pa. 322, 77 A.2d 368, 370, 371 (1951) (emphasis omitted).

Sovereign claims a right to indemnification because BJ’s and Fifth Third are primarily liable (presumably to Sovereign’s cardholders) based on their negligently allowing the retention of the Cardholder Information. Sovereign believes that it is only secondarily liable because of the operation of the Truth in Lending Act (“TILA”), 15 U.S.C. § 1643(a), (d), which creates a ceiling of $50 for cardholder liability for unauthorized charges.

Sovereign claims that its status of secondary liability arises because, when a credit card purchase is made, the cardholder’s account is charged, or debited, within days for that purchase and it becomes the cardholder’s obligation to pay the charges incurred; this is true even if the purchase is fraudulent. However, once a cardholder becomes aware of fraudulent activity on his/her account and notifies the card Issuer, that Issuer is obligated to reverse the charges, or credit the cardholder, for the amount of those fraudulent charges less $50, under the TILA. Thus, although § 1643 on its face only limits a cardholder’s liability, it creates a concomitant duty in the Issuer to reimburse the cardholder’s account for all fraudulent charges in excess of the $50 ceiling.

Sovereign submits that its cardholders had already been charged the full amount of the fraudulent charges before the fraud was discovered. Thus, in order to keep cardholders’ liability below the $50 limitation, Sovereign was obligated to reimburse the cardholder accounts for the amount of the fraudulent charges less $50. According to Sovereign, this is the precise situation the doctrine of equitable indem nification was designed to address. We disagree.

Sovereign can point to no authority to support its attempt to forge an equitable indemnification claim from the provisions of the TILA, and we have found none. The TILA is a consumer protection statute. Fairley v. Turan-Foley Imports, Inc., 65 F.3d 475, 479 (5th Cir.1995). TILA § 1643 does not impose any obligation on issuers of credit cards to pay the costs associated with unauthorized or fraudulent use of credit cards. It simply limits the liability of cardholders, under certain circumstances, to a maximum of $50 for unauthorized charges. Indeed, § 1643 does not address, nor is it even concerned with, the liability of an Issuer or any party other than the cardholder for unauthorized charges on a credit card. Section 1643 imposes liability only upon the cardholder. Since TILA § 1643 does not obligate Sovereign to reimburse its cardholders’ accounts, the district court correctly dismissed the equitable indemnification claims against Fifth Third and BJ’s.

C. Sovereign’s Negligence Claim Against BJ’s.

The district court dismissed Sovereign’s negligence claim pursuant to Fed.R.Civ.P. 12(b)(6) because the claim was barred by the economic loss doctrine. 427 F.Supp.2d at 533.

“The Economic Loss Doctrine provides that no cause of action exists for negligence that results solely in economic damages unaccompanied by physical or property damage.” Adams v. Copper Beach Townhome Communities, L.P., 816 A.2d 301, 305 (Pa.Super.2003). “[T]he Economic Loss Doctrine is concerned with two main factors: foreseeability and limitation of liability.” Id. at 307

Pennsylvania appellate courts first discussed this doctrine in Aikens v. Baltimore & Ohio R.R. Co., 348 Pa.Super. 17, 501 A.2d 277 (1985). There, employees of a manufacturing company sued a railroad company to recover wages lost when their plant had to close because of damage inflicted by a derailment allegedly caused by the railroad company’s negligence. The employees did not suffer any personal injuries or loss of property. In appealing the trial court’s judgment on the pleadings in favor of the railroad, the employees argued that the Pennsylvania Superior Court should recognize “a cause of action to compensate a party suffering purely economic loss, absent any direct physical injury or property damage, as a result of the negligence of another party.” 501 A.2d at 278. The Superior Court declined the invitation; instead, the court adopted the general rule set forth in the Restatement (Second) of Torts § 766C. That rule provides as follows:

Negligent Interference with Contract or Prospective Contractual Relation.

One is not liable to another for pecuniary harm not deriving from physical harm to the other, if that harm results from the actor’s negligently

(a) causing a third person not to perform a contract with the other, or

(b) interfering with the other’s performance of his contract or making the performance more expensive or burdensome, or

(c) interfering with the others acquiring a contractual relation with a third person.

The Superior Court noted that under § 766C, “recovery for purely economic loss occasioned by tortuous interference with contract or economic advantage is not available under a negligence theory.” 501 A.2d at 278 (citation omitted).

As the Superior Court explained, the “roots of this well-established rule” reach back to the U.S. Supreme Court’s decision in Robins Dry Dock and Repair Co. v. Flint, 275 U.S. 303, 48 S.Ct. 134, 72 L.Ed. 290 (1927). The Superior Court quoted from the Supreme Court’s decision in Flint, in concluding that:

negligent harm to economic advantage alone is too remote for recovery under a negligence theory. The reason that a plaintiff cannot recover stems from the fact that the negligent actor has no knowledge of the contract or prospective relation and thus has no reason to foresee any harm to the plaintiffs interest.

501 A.2d at 279.

Moreover, as the Superior Court stressed, there are sound public policy reasons to condition tort recovery on injury to person or property.

[Ajllowance of a cause of action for negligent interference with economic advantage would create an undue burden upon industrial freedom of action, and would create a disproportion between the large amount of damages that might be recovered and the extent of defendant’s fault. See Restatement (Second) of Torts Sec. 766c, comment a (1979). To allow a cause of action for negligent cause of purely economic loss would be to open the door to every person or business to bring a cause of action. Such an outstanding burden is clearly inappropriate and a danger to our economic system.

Id. Accordingly, the Superior Court held “that no cause of action exists for negligence that causes only economic loss.” Id.

In its negligence claim against BJ’s, Sovereign is seeking to recover the costs associated with replacement of some of its customers’ Visa cards and the amounts it paid to reimburse customers whose magnetic-stripe data was used for fraudulent purchases. Sovereign tries to get around the fatal limitation of the economic loss doctrine by relying on the Pennsylvania Supreme Court’s decision in Bilt-Rite Contractors, Inc. v. The Architectural Studio, 581 Pa. 454, 866 A.2d 270 (2005). Sovereign claims that Bilt-Rite severely weakened the economic loss doctrine as first announced in Aikens v. Baltimore & Ohio R.R. Co., supra.

Sovereign first claims that the district court erred in assessing its losses in purely economic terms, because it also incurred a loss of property, i.e. money, because of BJ’s alleged negligence. The argument is meritless. Not surprisingly, Sovereign cites no authority to support its contention that its financial loss negates the economic loss doctrine. Indeed, the argument would totally eviscerate the economic loss doctrine because any economic loss would morph into the required loss of property and thereby furnish the damages required for a negligence claim.

Sovereign also attempts to pirouette around the economic loss doctrine by arguing that it only applies when the plaintiff has suffered an unforeseeable loss, and then claiming that its loss was clearly a foreseeable result of BJ’s negligence. We do not doubt that Sovereign’s loss was a foreseeable result of not taking appropriate precautions to protect its cardholders’ information. However, that does not advance Sovereign’s claim to the extent that Sovereign believes. We agree that the court in Aikens did explain that the economic loss doctrine was partly the result of a policy consideration to not impose loss for an unforeseeable result. However, that is of no consequence here because Sovereign did not incur any loss of property. Moreover, Sovereign’s argument ignores the thrust of the public policy rational explained in Aikens.

Finally, Sovereign claims that the decision in Bilt-Rite Contractors, Inc. v. The Architectural Studio, supra, severely weakened the economic loss doctrine by permitting negligence claims to proceed without regard to economic loss. There, Bilk-Rite, a general contractor, entered into a construction contract to build a new school for a school district. In formulating its winning bid for the contract, Bilt-Rite claimed that it had relied on the drawings and specifications prepared by an architect who had been hired by the school district for the very purpose of preparing drawings and specifications that were to be used to prepare bids. However, during the subsequent construction, BilNRite discovered that some of the representations in the specifications were inaccurate. Bilt-Rite incurred significant cost overruns in attempting to build the building, and it sued the architect for negligent misrepresentation to recover its losses.

The trial court sustained the architect’s preliminary objections based on the operation of the economic loss doctrine and the Pennsylvania Superior Court affirmed. On appeal, the Pennsylvania Supreme Court held that the economic loss doctrine did not bar the contractor’s negligent misrepresentation action. Sovereign relies on the following language from the Pennsylvania Supreme Court’s majority opinion:

Here, [the contractor] had no contractual relationship with [the architect]; thus, recovery under a contract is not available to [the contractor]. Having found that [the contractor] states a viable claim for negligent misrepresentation ..., and that privity is not a prerequisite for maintaining such an action, logic dictates that [the contractor] not be barred from recovering the damages it incurred, if proven. Indeed, to apply the economic loss doctrine ... would be non-sensical: it would allow a party to pursue an action only to hold that, once the elements of the cause of action are shown, the party is unable to recover for its losses.

866 A.2d at 288 (emphasis is Sovereign’s). Sovereign attempts to leverage this excerpt from the majority opinion in Bilt-Rite into a claim that applying the economic loss doctrine here would be equally nonsensical. However, this argument is completely without merit.

Sovereign concedes that “the bulk of the Supreme Court’s opinion in Bilt-Rite focuses not on the economic loss doctrine, but on whether or not in the context of a negligent misrepresentation claim, plaintiff could establish the existence of a duty on the part of the architect absent privity of contract.” Sovereign’s Br. at 42. Moreover, the decision did not, as Sovereign claims, severely weaken the economic loss doctrine. Rather, the Court simply made an exception to the doctrine to allow a commercial plaintiff recourse from an “expert supplier of information” with whom the plaintiff has no contractual relationship, when the plaintiff has relied on that person’s “special expertise” and the “supplier negligently misrepresents the information to another in privity.” 866 A.2d at 286. That is simply not our case. 8 The Pennsylvania Supreme Court never suggested that it intended to severely weaken or undermine the economic loss doctrine in a case such as this. It simply carved out a narrow exception when losses result from the reliance on the advice of professionals.

Thus, the district court correctly held that Sovereign’s negligence claim against BJ’s was barred by the economic loss doctrine.

D. CONCLUSION

For the above reasons, we will reverse the district court’s grant of summary judgment to Fifth Third on Sovereign’s breach of contract claim and remand for further proceedings. However, we will affirm the district court’s dismissal of Sovereign’s equitable indemnification claims against Fifth Third and BJ’s and its dismissal of Sovereign’s negligence claim against BJ’s.

III. Pennsylvania State Employees Credit Union v. Fifth Third Bank and BJ’s Wholesale Club, Inc. (No. 06-3405)

The Pennsylvania State Employees Credit Union is the Issuer of Visa cards to it members, Fifth Third is the Acquirer and BJ’s is the Merchant. After discovering the breach of Cardholder Information retained in BJ’s system, PSECU canceled approximately 20,000 of its Visa cards that had been used at BJ’s. It then reissued Visa cards with new account numbers and new Cardholder Information at a cost of approximately $98,000. PSECU brought this action to recover related costs. 9

PSECU filed an amended complaint against Fifth Third and BJ’s alleging breach of contract, negligence, equitable indemnification, and unjust enrichment. 10 Fifth Third and BJ’s separately filed Rule 12(b)(6) motions to dismiss the amended complaint. The district court dismissed all of PSECU’s claims against BJ’s pursuant to BJ’s 12(b)(6) motion. The district court also dismissed all of PSECU’s claims against Fifth Third except for PSECU’s breach of contract claim. Pennsylvania State Employees Credit Union v. Fifth Third Bank, 398 F.Supp.2d 317 (M.D.Pa.2005).

After limited discovery, the district court granted summary judgment in favor of Fifth Third on PSECU’s breach of contract claim, holding that PSECU, like Sovereign, was not an intended beneficiary of the Visa-Fifth Third Member Agreement. Pennsylvania State Employees Credit Un ion v. Fifth Third Bank, 2006 WL 1724574 (M.D.Pa. June 16, 2006). This appeal followed.

PSECU challenges the grant of summary judgment to Fifth Third on PSE-CU’s breach of contract claim and the district court’s dismissal of its claims against Fifth Third and BJ’s for negligence and unjust enrichment.

A. PSECU’s Breach of Contract Claim Against Fifth Third.

PSECU’s breach of contract claim parallels Sovereign’s breach of contract claim that we just discussed in No. 06-3392. PSECU asserts that it is a third-party or intended beneficiary of Fifth Third’s Member Agreement with VISA requiring Fifth Third to ensure BJ’s compliance with the Visa Operating Regulations. PSECU relies on the same documentary evidence and deposition testimony that formed the basis of Sovereign’s third-party beneficiary claim against Fifth Third. PSECU’s arguments on appeal mirror Sovereign’s third party beneficiary arguments, and our analysis of Sovereign’s third party beneficiary claim therefore applies with equal force to PSECU’s breach of contract claim. Accordingly, for the reasons set forth in 06-3392, we will reverse the district court’s grant of summary judgment to Fifth Third on PSECU’s breach of contract claim and remand for further proceedings.

B. PSECU’s Negligence Claims Against BJ’s and Fifth Third.

In asserting negligence claims against BJ’s and Fifth Third, PSECU argues that BJ’s had a duty to comply with the Visa Operating Regulations, and that Fifth Third had a duty to ensure compliance. PSECU alleged that both parties negligently breached their duties. The district court dismissed both negligence claims based upon the economic loss doctrine that we have already discussed in No. 06-3392.

PSECU makes two arguments in contesting the district court’s application of the economic loss doctrine. First, PSECU maintains that BJ’s and Fifth Third’s negligence resulted in physical damage to PSECU’s property — the Visa cards — and the doctrine was therefore not applicable. PSECU’s theory proceeds as follows:

BJ’s and Fifth Third’s negligence allowed unauthorized third parties to access the magnetic stripe data from these Visa cards and convert that data to their own purposes. Once this credit card information was in the hands of third parties, the associated Visa cards were rendered useless, necessitating their replacement. [BJ’s and Fifth Third’s] negligence, therefore, resulted in a physical act (third party access) which damaged physical property (the Visa cards) that belonged to PSECU. PSECU therefore suffered property damage as a result of [BJ’s and Fifth Third’s] negligence and its claims should not be barred by the economic loss doctrine.

PSECU’s Br. at 39-40. We cannot agree.

Even if we assume arguendo that destruction of the Visa cards constitutes the kind of property damage that can be compensated in a negligence action, PSE-CU’s argument still fails because it ignores the fact that the Visa cards were not damaged; they were cancelled. Therefore, if the magnetic-stripe data constitutes physical property, PSECU’s negligence claim is still not advanced. The data was copied, not destroyed. Furthermore, the cards themselves remained intact and useable until cancelled by PSECU. The fraudulent transactions had no physical effect on either the cards, the data encoded on the cards, or the magnetic-stripe which contained that data. The fraudulent activity simply did not render the cards useless. The cardholders could continue to use them to make purchases after the information was compromised. Indeed, as BJ’s notes, PSECU deemed the cards useless not because they were damaged, but because PSECU was exposed to liability for unauthorized charges. PSECU decided to limit that exposure by canceling cards and reissuing new ones, but, that does not establish that PSECU’s property was damaged.

Second, PSECU contends that the economic loss doctrine does not apply because the parties are not in privity of contract and the justifications for application of the doctrine are not advanced by its application here. PSECU relies on Bilt-Rite Contractors, Inc. v. The Architectural Studio, 581 Pa. 454, 866 A.2d 270 (2005). PSECU also argues that that case constituted a “sweeping departure from previous incantations of the economic loss doctrine.” PSECU’s Br. at 43. According to PSE-CU, in Bilh-Rite “the Pennsylvania Supreme Court held that the economic loss doctrine may not apply where the plaintiff has no available contract remedy.” PSE-CU’s Br. at 41 It bases that argument on the following excerpt from Bilt-Rite:

Pennsylvania has long recognized that purely economic losses are recoverable in a variety of tort actions.... We agree with that court that a plaintiff is not barred from recovering economic losses simply because the action sounds in tort rather than contract law. Here, Bilt-Rite had no contractual relationship with TAS; thus, recovery under a contract is not available to Bilb-Rite. Having found that Bilt-Rite states a viable claim for negligent representation ... and that privity is not a prerequisite for maintaining such an action, logic dictates that BilNRite not be barred from recovering the damages it incurred.

866 A.2d at 288 (emphasis is PSECU’s).

However, we have already explained that Bilb-Rite did not hold that the economic loss doctrine may not apply where the plaintiff has no available contract remedy. As explained in Sovereign’s appeal, the Bilt-Rite Court simply carved-out an exception to allow a commercial plaintiff to seek recourse from an “expert supplier of information” with whom the plaintiff has no contractual relationship, in very narrow circumstances not relevant here. 866 A.2d at 268. The Pennsylvania Supreme Court emphasized that its holding was limited to those “businesses” which provide services and/or information that they know will be relied upon by third parties in their business endeavors.... Id. Accordingly, the district court did not err in dismissing PSECU’s negligence claims against BJ’s and Fifth Third.

C. PSECU’s Claims For Unjust Enrichment Against Fifth Third and BJ’s.

The elements of unjust enrichment under Pennsylvania law have been defined as follows:

(1) benefits conferred on defendant by plaintiff; (2) appreciation of such benefits by defendant; and (3) acceptance and retention of such benefits under such circumstances that it would be inequitable for defendant to retain the benefit without payment of value.

Limbach Co. LLC v. City of Philadelphia, 905 A.2d 567, 575 (Pa.Cmwlth.2006) (citation omitted). The cause of action is similar to a claim for equitable indemnification that we discussed in No. 06-3392. “To sustain a claim of unjust enrichment, a claimant must show that the party against whom recovery is sought either wrongfully secured or passively received a benefit that it would be unconscionable for her to retain.” Torchia v. Torchia, 346 Pa.Super. 229, 499 A.2d 581, 582 (1985) However, a claim for unjust enrichment requires more than a showing that the defendant may-have benefited in some way from the disputed conduct. Walter v. Magee-Womens Hosp., 876 A.2d 400, 407 (Pa.Super.2005).

PSECU argues that BJ’s and Fifth Third benefited from PSECU’s cancellation and replacement of its Visa cards because the cancellation stopped the fraudulent use of those cards and permitted PSECU’s members to resume using their cards for retail purchases. PSECU’s actions also limited the liability that BJ’s and Fifth Third would otherwise have incurred to PSECU and its members. Thus, argues PSECU, BJ’s and Fifth Third’s acceptance and retention of the benefits conferred without compensation to PSECU, would be inequitable. Accordingly, BJ’s and Fifth Third were unjustly enriched by PSECU’s cancelling and replacing its members’ Visa cards. We cannot agree.

The district court held that BJ’s and Fifth Third received no benefit from PSE-CU’s cancelling and reissuing of its members’ Visa cards because PSECU replaced the cards pursuant to its contractual obligation with its cardholders. The district court relied on Allegheny Gen. Hosp. v. Philip Morris, Inc., 228 F.3d 429 (3d Cir.2000), in holding that any benefit that BJ’s or Fifth Third may have derived was purely incidental, and could not form the basis of an unjust enrichment claim. 398 F.Supp.2d at 331.

In Allegheny Gen. Hospital, a group of hospitals sued various tobacco companies asserting an unjust enrichment claim for unreimbursed medical care the hospitals had provided to nonpaying, diseased smokers. The hospitals claimed that “by paying for the medical services required by nonpaying patients, the Hospitals discharged the Tobacco Companies’ legal duties and saved them from bearing costs caused by their fraudulent and wrongful conduct.” 228 F.3d at 447. We held that a claim for unjust enrichment may not be based on the performance of an obligation that is independently owed to third parties:

In addition, since the Hospitals had an independent obligation to provide health care to the nonpaying patients [through Medicaid], incidental benefit to the Tobacco Companies is not enough to maintain an action; the nonpaying patients get the main benefit, not the Tobacco companies. See Restatement of Restitution § 106 (1937) (“A person who, incidentally to the performance of his own duty ... has conferred a benefit upon another, is not thereby entitled to contribution.”).

Id.

PSECU’s unjust enrichment claims against BJ’s and Fifth Third are analogous to the hospital’s failed unjust enrichment claim against the tobacco companies. PSECU attempts to distinguish Allegheny by arguing that, unlike the hospitals, it did not replace its members’ Visa cards pursuant to an independent obligation. However, PSECU’s amended complaint fatally undermines that contention. There, PSE-CU alleged that it replaced its members’ Visa cards “to fulfill a contractual obligation to its customers.” Am. Compl. ¶ 65. Although PSECU’s attempt to salvage its unjust enrichment claim now requires that it take a contrary position, the allegation in the amended complaint is a binding judicial admission. See Parilla v. IAP Worldwide Serv., VI, Inc., 368 F.3d 269, 275 (3d Cir.2004) (“Judicial admissions are formal concessions in the pleadings, or stipulations by the party or its counsel, that are binding upon the party making them.”). Accordingly, the district court properly dismissed the unjust enrichment claim.

Finally, PSECU tries to distinguish this case from Allegheny. According to PSE- CU, this case should be governed by the Restatement of Restitution § 81, which provides:

Unless otherwise agreed, a person who has discharged more than his proportionate share of a duty owed by himself and another as to which, between the two, neither had a prior duty of performance, is entitled to contribution from the other, except where the payor is barred by the wrongful nature of his conduct.

Comment (b) offers the following guidance:

The rule stated in this Section applies where two or more persons are interested in an enterprise out of which the obligation arises, whether as primary or secondary obligors, and where neither of them with respect to the other has a prior duty of performance, irrespective of the question whether, as between them and the creditor, one of them appears to be primarily responsible.

Comment (c) explains the limited scope of § 81:

The rule stated in this Section is limited to those who are parties to a single transaction or series of transactions. If there is but one debt or duty, the fact that there are a number of separate agreements which guarantee its performance does not prevent contribution between all the secondary obligors.

Id. at comment (c).

PSECU argues that it entered into the series of contracts that make up the Visa system with BJ’s and Fifth Third, but it does not have any “prior duty of performance” within the Visa system. PSECU concedes that it did allege that it replaced its members’ cards pursuant to its contractual obligations within the Visa system. However, it submits that Visa’s designated representative’s deposition testimony establishes that cancellation and reissuance of its members cards is only one of a number of options an Issuer may take in response to a breach of Cardholder Information by a Merchant or Acquirer.

According to PSECU, this establishes that it had no obligation to cancel and reissue the cards; rather, doing so was just one of PSECU’s options under the Visa system. PSECU claims that by promptly cancelling and replacing cards, it protected BJ’s and Fifth Third from greater fraud losses, which would have been shifted to Fifth Third’s compliance process (and then shifted to BJ’s for indemnification to Fifth Third).

PSECU concludes that it, BJ’s and Fifth Third are all “interested in an enterprise [the Visa system, and its associated network of contracts] out of which [obligations] arise,” as to which none of the three have a prior duty of performance. PSECU’s Br. at 55 (quoting Restatement of Restitution § 81, comment (b)). It further says that by cancelling and reissuing its members’ Visa cards, it “discharged more than [its] proportionate share of a duty owed by [PSECU, BJ’s and Fifth Third]” “as to which, between the [three], neither had a prior duty of performance.” Id. (quoting Restatement of Restitution § 81). Therefore, PSECU contends that it is entitled to contribution from BJ’s and Fifth Third on its unjust enrichment theory, regardless of whether PSECU, BJ’s or Fifth Third “appears to be primarily responsible” for reissuance of Visa cards. Id. (quoting Restatement of Restitution § 81, comment (b)).

This argument has some facial appeal. However, PSECU did not make this argument in the district court, and we therefore need not determine its merit now. “Generally, barring exceptional circumstances, like an intervening change in the law or the lack of representation by an attorney, this Court does not review issues raised for the first time at the appellate level.” Gleason v. Norwest Mortgage, Inc., 243 F.3d 130, 142 (3d Cir.2001). PSECU does not contend that there are exceptional circumstances present here, and we do not find any. Accordingly, this argument has been waived, and we will reject it without discussion.

We conclude that the district court did not err in dismissing PSECU’s unjust enrichment claim against either BJ’s or Fifth Third.

For all of the above reasons, we will reverse the district court’s grant of summary judgment to Fifth Third on PSE-CU’s breach of contract claim, but affirm that court’s dismissal of PSECU’s negligence and unjust enrichment claims against Fifth Third and BJ’s.

1 . Visa offers both credit cards and debit cards. Since the distinction is not relevant here, we will simply refer to "credit cards.”

2 . A "chargeback” is the return of a transaction from the Issuer to the Acquirer, sometimes because the Issuer’s customer has a dispute with the Merchant or because the customer does not recognize the transaction. A "representment” is the Issuer's or its agent’s challenge to a chargeback; it involves resubmission, of its response to the charge-back with additional information.

3 . The alert is purely informational and does not mean that the accounts listed had been compromised. Fifth Third claims that an Issuer has discretion in choosing how it will respond to a CAMS alert. It can respond by monitoring the affected accounts for fraudulent activity, cancelling the accounts and reissuing new Visa cards, or taking other measures based on the potential for fraud.

4 . The district court had jurisdiction pursuant to 28 U.S.C. § 1332.

5 . The memorandum was written by Vincent La Paglia, Visa’s Vice President, Card Operations.

6 . After oral argument, counsel for Fifth Third sent a letter to the Clerk, pursuant to Fed. R.App.P. 28(j), informing her of a decision of the United States District Court for the District of Massachusetts in In re TJX Companies Retail Security Breach Litigation, 524 F.Supp.2d 83 (D.Mass.2007), a case that is factually identical to the two appeals before us. TJX is the Merchant in that case and Fifth Third is the Acquirer. In TJX, a putative class of Issuers asserted third-party beneficiary claims against Fifth Third arising from a data security breach relating to unauthorized access to Visa Cardholder Information retained by TJX. The district court dismissed the third-party beneficiary claims pursuant to Fed.R.Civ.P. 12(b)(6), holding that in a section of the Operating Regulations, Visa expressly intended to preclude third-party beneficiaries. 524 F.Supp.2d at 89. However, that section of the Operating Regulations is in a later version of the Operating Regulations adopted after the events that occurred here. Accordingly, In re TJX is not at all helpful to our analysis.

7 . The standard of review for a dismissal under Fed.R.Civ.P. 12(b)(6) is de novo. Phillips v. County of Allegheny, 515 F.3d 224, 230 (3d Cir.2008). We must review the complaint in light of the Supreme Court’s decision in Bell Atlantic Corp. v. Twombly,-U.S.-, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) and our recent opinion in Phillips v. County of Allegheny, supra, both of which were issued after the district court’s decision. In Twombly, an antitrust case, the Supreme Court rejected the language in Conley v. Gibson, 355 U.S. 41, 45-46, 78 S.Ct. 99, 2 L.Ed.2d 80 (1957), that a district court may not dismiss a complaint "unless it appears beyond doubt that the plaintiff can prove no set of facts in support of his claim which would entitle him to relief.” In rejecting that language, the Supreme Court explained that the allegations of the complaint should "plausibly suggest[]” that the pleader is entitled to relief.

In Phillips, a case brought under 42 U.S.C. § 1983, we held that Twombly’s "plausibility” standard is not restricted to antitrust cases. 515 F.3d at 234. Although we commented that the exact boundaries of Twombly are not yet known, we read it to mean that "[fjactual allegations must be enough to raise a right to relief above the speculative level.” Id. (quoting Twombly, 127 S.Ct. at 1965). Put another way, " ‘stating ... a claim requires a complaint with enough factual matter (taken as true) to suggest' the required element.” Id. (quoting Twombly, 127 S.Ct. at 1965). The complaint must state " 'enough facts to raise a reasonable expectation that discovery will reveal evidence of the necessary element.” Id. (quoting Twombly, 127 S.Ct. at 1965). "That is to say, there must be some showing sufficient to justify moving the case beyond the pleading to the next stage of litigation.” Id. at 234-35.

In Wilkerson v. New Media Technology Charter School, Inc., 522 F.3d 315, 322 (3d Cir.2008), we extended "our holding in Phillips to the employment discrimination context. The plausibility paradigm announced in Twombly applies with equal force to analyzing the adequacy of claims of employment discrimination.” We see no reason why Twombly's plausibility standard does not apply to the complaint before us now.

8 . Moreover, in reaching its decision in Bilt-Rite, the Court adopted the Restatement (Second) of Torts § 552, which is entitled: "Information Negligently Supplied for the Guidance of Others,” and which provides:

(1) One who, in the course of his business, profession or employment, or in any other transaction in which he has a pecuniary interest, supplies false information for the guidance of others in their business transactions, is subject to liability for pecuniary loss caused to them by their justifiable reliance upon the information, if he fails to exercise reasonable care or competence in obtaining or communicating the information.

(2) Except as stated in Subsection (3), the liability stated in Subsection (1) is limited to loss suffered

(a) by the person or one of a limited group of persons for whose benefit and guidance he intends to supply the information or knows that the recipient intends to supply it; and

(b) through reliance upon it in a transaction that he intends the information to influence or knows that the recipient so intends or in a substantially similar transaction.

(3) The liability of one who is under a public duty to give the information extends to loss suffered by any of the class of persons for whose benefit the duty is created, in any of the transactions in which it is intended to protect them.

9 . It appears that PSECU went through the Visa Compliance Process and was made whole by Fifth Third for the money paid to PSECU's cardholders as a result of BJ’s retention of the Cardholder Information.

10 . PSECU initiated the action in state court, but the case was subsequently removed to the Middle District of Pennsylvania. After removal, BJ’s filed a third-party complaint against International Business Machines Corporation, ("IBM”) alleging that IBM’s software failed to comply with BJ’s instructions not to retain Cardholder Information. BJ's sought to recover damages PSECU might be awarded in its suit against BJ's. However, the district court granted IBM's motion to dismiss BJ's third-party complaint. Consequently, that matter is not before us.