By Ross Kerber
The Boston Globe
December 1, 2007
Framingham retailer TJX Cos. agreed to reimburse banks up to $40.9
million as a result of the largest data breach in history, which
compromised as many as 100 million credit and debit card accounts before
it was discovered at the end of last year.
TJX, the parent of discount chains including TJ Maxx and Marshalls,
reached a deal with credit card network Visa Inc. to pay some of the
costs of reissuing cards and covering fraud losses at banks that issue
Visa products, the two companies said yesterday. TJX also said it would
help promote new security standards that Visa, MasterCard Inc., and
banks have struggled to persuade merchants to accept.
In return, the banks would agree not to sue TJX or its partners, and
Visa would suspend some fines it levied after the breach, the companies
The unprecedented terms demonstrate that retailers, banks, and card
companies realize they must stop blaming one another for security lapses
in an industry that handled $3.5 trillion worth of transactions last
year, said Mary Monahan, partner at Javelin Strategy & Research in
California. "We have a merchant and a card company saying, let's end the
finger-pointing here," Monahan said.
"Basically, they're recognizing consumers are tired of these data
breaches and want to be protected," Monahan said. In a recent survey of
1,200 debit and credit card users, Javelin found 40 percent of the
people surveyed had at least one card compromised in the past year, a
level that could potentially erode confidence in the payment networks.
In a statement, Ellen Richey, Visa's head of global risk management,
said, "This agreement demonstrates the importance of retailers and the
payment card industry working together to protect cardholder data. . . .
We hope one outcome of this resolution is recognition that a greater
investment in security is good business."
TJX president and chief executive Carol Meyrowitz said in a statement
her company has improved its own security since the breach. "We have
also learned about the heightened security risks that exist across the
entire US retail and banking industries as a result of today's high tech
criminals. We believe that cooperative action is required by all banks,
payment card companies and merchants to better protect customer payment
card data, and we look forward to working together with Visa to further
Visa is the largest of the payment card networks, with more than 1.6
billion cards in circulation. Yesterday's terms were unique, Monahan
said, since negotiations following a data breach rarely include a direct
deal between a merchant and a card network. Monahan said she expects
MasterCard may make a similar deal with TJX and banks. A MasterCard
spokesman said it wouldn't comment.
Banks that are part of the Visa network and make up at least 80 percent
of the accounts affected by the TJX breach must accept the agreement
before it becomes valid, and it would not cover some foreign losses.
TJX's breach had become a flashpoint for the payments industry amid a
growing threat from hackers. Beginning in January, the company and
outside investigators disclosed how intruders were able to penetrate the
store's data network, apparently by intercepting wireless transmissions
at stores in Florida, and download account numbers that have been used
to conduct fraudulent purchases worldwide. So far the only convictions
involve a group of low-level criminals in Florida that used some of the
numbers to make purchases at local chain stores.
TJX has said at least 45.7 million payment card numbers were
compromised. Visa and MasterCard won't comment, but the total impact of
up to 100 million compromised accounts is spelled out in court filings
TJX still faces lawsuits from New England banks seeking to recover the
costs of issuing cards following the breach. Filings in that litigation
showed Visa had issued $880,000 in penalties against the bank that
processed payments at TJX stores, Fifth Third Bancorp of Ohio, citing
the stores' security failures. Other filings in that case described
numerous computer-security problems at TJX, including a lack of
firewalls to protect data and a reliance on an outdated
wireless-security protocol that is more vulnerable to hackers.
As part of yesterday's deal, Visa said it would waive certain fines
against Fifth Third and move the money into the broader recovery fund.
The fund is meant to cover the costs banks faced for fraud losses and
expenses like reissuing cards, though a Visa spokeswoman declined to
give details on the total costs to banks. Visa said banks could expect
more reimbursement if they agreed to the deal than they could expect
under existing antifraud programs. Fifth Third also is part of the
Another part of the deal would have TJX help promote tougher security
standards that Visa and other card networks wanted large merchants to
meet by Sept. 30 of this year. Only 65 percent did so, according to
Visa's most recent figures.
TJX had previously said it faced costs of $256 million as a result of
the breach, and it has set money aside for those costs. Yesterday, it
said its estimates included the potential $40.9 million payment to
Copyright 2007 Globe Newspaper Company.
Visit InfoSec News