A federal appeals court revived a lawsuit seeking to hold Barnes & Noble Inc responsible for customer losses from a 2012 data breach, where fraudsters tampered with payment verification machines known as PIN pads at 63 bookstores in nine U.S. states.

In a 3-0 decision on Wednesday, the 7th U.S. Circuit Court of Appeals in Chicago said victims deserved a chance to seek damages for buying credit monitoring services, losing access to their money while banks reversed unauthorized charges, and spending time to set matters right.

Circuit Judge Frank Easterbrook said a lower court judge wrongly concluded that the plaintiffs, Heather Dieffenbach of California and Susan Winstead of Illinois, lacked legal standing to sue over the “skimming” of credit and debit card data, including PIN numbers.

But he said they face challenges, because state laws did not expressly make retailers liable for failing to “crime-proof” their payment systems, and it was “far from clear” that customers’ claims were similar enough to justify a class action.

The breached PIN pads were in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island.

Barnes & Noble spokeswoman Mary Ellen Keating declined to comment. Erich Schork, a lawyer for the plaintiffs, said he was pleased with the decision and looks forward to further litigation.

The case was returned to U.S. District Judge Andrea Wood in Chicago, who dismissed the lawsuit last June.

The case is Dieffenbach et al v Barnes & Noble Inc, 7th U.S. Circuit Court of Appeals, No. 17-2408.